Skip to content
Kong Logo | Kong Docs Logo
search
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
3.5.x (latest)
  • Home icon
  • Kong Gateway
  • Kong Manager
  • Authentication and Authorization
  • OpenID Connect
  • Enable OIDC for Kong Manager
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.5.x (latest)
  • 3.4.x
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Set up RBAC with OIDC
  • Create an admin
  • Assign a role to the admin

Enable OIDC for Kong Manager

Kong Gateway offers the ability to bind authentication for Kong Manager admins to an organization’s OpenID Connect Identity Provider using the OpenID Connect Plugin.

Note: By using the configuration below, it is unnecessary to manually enable the plugin. The configuration alone will enable OIDC for Kong Manager.

Set up RBAC with OIDC

The following is an example using Google as the IdP and serving Kong Manager from its default URL, http://127.0.0.1:8002.

The admin_gui_auth_config value must be valid JSON. The following is an example of the configuration:

enforce_rbac = on
admin_gui_auth=openid-connect
admin_gui_session_conf = { "secret":"set-your-string-here" }
admin_gui_auth_conf={                                      \
  "issuer": "https://accounts.google.com/",                \
  "client_id": ["<ENTER_YOUR_CLIENT_ID>"],                 \
  "client_secret": ["<ENTER_YOUR_CLIENT_SECRET_HERE>"],    \
  "admin_claim": ["email"],                                \
  "redirect_uri": ["http://localhost:8002/default"],       \
}

While authenticating Kong Manager with OpenID Connect, make sure that your IdP supports the authorization_code grant type and is enabled for the associated client.

The following are configuration parameters in admin_gui_auth_conf for openid-connect:

parameter data type default value notes
issuer
required
String “input issuer” A string representing a URL
client_id
required
Array [“input client id”] The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
client_secret
required
Array [“input client secret”] The client secret.
redirect_uri
required
Array [“input http://ip:8002/default”] The redirect URI passed to the authorization and token endpoints.
authenticated_groups_claim
required
Array [“groups”] The claim that contains authenticated groups.
admin_claim
required
Array [“email”] Retrieve the field as a username.
admin_auto_create
optional
Boolean true This parameter is used to enable the automatic creation of administrators.
ssl_verify
optional
Boolean false Verify identity provider server certificate.

The Sessions plugin (configured with admin_gui_session_conf) requires a secret and is configured securely by default.

  • Under all circumstances, the secret must be manually set to a string.
  • If using HTTP instead of HTTPS, cookie_secure must be manually set to false.
  • If using different domains for the Admin API and Kong Manager, cookie_same_site must be set to Lax.

Learn more about these properties in Session Security in Kong Manager, and see example configurations.

Replace the entries surrounded by <> with values that are valid for your IdP. For example, Google credentials can be found here: https://console.cloud.google.com/projectselector/apis/credentials

Create an admin

Create an admin that has a username matching the email returned from the identity provider upon successful login:

curl -i -X POST http://localhost:8001/admins \
  --data username="<admin_email>" \
  --data email="<admin_email>" \
  --header Kong-Admin-Token:<RBAC_TOKEN>

For example, if a user has the email address example_user@example.com:

curl -i -X POST http://localhost:8001/admins \
  --data username="example_user@example_com" \
  --data email="example_user@example.com" \
  --header Kong-Admin-Token:<RBAC_TOKEN>

Note: The email entered for the admin in the request is used to ensure the admin receives an email invitation, whereas username is the attribute that the plugin uses with the IdP.

Assign a role to the admin

Assign the new admin at least one role so they can log in and access Kong entities:

curl -i -X POST http://localhost:8001/admins/<admin_email>/roles \
  --data roles="<role-name>" \
  --header Kong-Admin-Token:<RBAC_TOKEN>

For example, to grant example_user@example.com the role of super admin:

curl -i -X POST http://localhost:8001/admins/example_user@example.com/roles \
  --data roles="super-admin" \
  --header Kong-Admin-Token:<RBAC_TOKEN>
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Gateway Enterprise Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2023