OAuth 2.0 Introspection

Enterprise only

Kong Identityv1.0+

Configure the plugin to use a Kong Identity auth server’s introspection endpoint to validate an access token. For a complete tutorial, see Configure the OAuth 2.0 Introspection plugin with Kong Identity.

Environment variables

  • AUTHORIZATION_HEADER_VALUE: The value to set for the Authorization header to access the introspection endpoint. For Kong Identity, it will be a basic auth header with your Base64-encoded client ID and secret: Basic $ENCODED_CREDENTIALS.

  • INTROSPECTION_URL: The full URL to the introspection endpoint. For Kong Identity, it will look like https://a93xltvowjk8m1qe.us.identity.konghq.com/auth/introspect

  • CLAIM_NAME: The name of your claim in the Kong Identity auth server.

Set up the plugin

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "oauth2-introspection",
      "config": {
        "introspection_url": "'$INTROSPECTION_URL'",
        "authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
        "consumer_by": "client_id",
        "custom_claims_forward": [
          "'$CLAIM_NAME'"
        ]
      }
    }
    '
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

  • region: Geographic region where your Kong Konnect is hosted and operates.

  • controlPlaneId: The id of the control plane.

  • KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!