Configure OpenID Connect with claims-based authorization
Use the OpenID Connect plugin to look for specific claims in a token payload, and only allow users with the right claims access to a given resources.
Set up any type of authentication (the password grant, in this guide) and enable claims-based authorization by pointing to claims to look for in the authorization request.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied!Copy and paste these into your terminal to configure your session.
Enable the OpenID Connect plugin with claims-based authorization
Using the Keycloak and Kong Gateway configuration from the prerequisites,
set up an instance of the OpenID Connect plugin. In this example, we’re using the simple password grant with the scopes_claim and scopes_required claims pair.
Enable the OpenID Connect plugin on the example-service Service:
echo '
_format_version: "3.0"
plugins:
- name: openid-connect
service: example-service
config:
issuer: "${{ env "DECK_ISSUER" }}"
client_id:
- "${{ env "DECK_CLIENT_ID" }}"
client_secret:
- "${{ env "DECK_CLIENT_SECRET" }}"
client_auth:
- client_secret_post
auth_methods:
- password
- bearer
scopes_claim:
- scope
scopes_required:
- openid
' | deck gateway apply -
In this example:
-
issuer,client ID,client secret, andclient auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app). -
auth_methods: Password grant, for easy testing, and the bearer grant so that we can authenticate using the JWT that we retrieve. -
scopes_claimandscopes_required: Looks for a claim namedscopein the payload, and checks that the scope containsopenid.
Note: Setting
config.client_authtoclient_secret_postlets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Retrieve the bearer token
Check that you can recover the token by requesting the Service with the basic authentication credentials created in the prerequisites:
curl -i -X GET "$KONNECT_PROXY_URL/anything" \
-u alex:doe
curl -i -X GET "http://localhost:8000/anything" \
-u alex:doe
You’ll see an Authorization header in the response.
Export the value of the header to an environment variable:
export TOKEN=YOUR_BEARER_TOKEN
Validate the token
Now, validate the setup by accessing the example-route Route and passing the token from the previous step:
curl -i -X GET "$KONNECT_PROXY_URL/anything" \
-H "Authorization: $TOKEN"
curl -i -X GET "http://localhost:8000/anything" \
-H "Authorization: $TOKEN"
If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.
If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:
X-Kong-Proxy-Latency: 25
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.