Configure OpenID Connect with the authorization code flow
Using the OpenID Connect plugin, set up the auth code flow to connect to an identity provider (IdP) through a browser, and use session authentication to store open sessions. You can do this by specifying authorization_code and session in the config.auth_methods plugin settings.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied to clipboard! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied to clipboard!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied to clipboard!Copy and paste these into your terminal to configure your session.
Enable the OpenID Connect plugin with the auth code flow
Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with the auth code flow and session authentication.
Enable the OpenID Connect plugin on the example-service Service:
echo '
_format_version: "3.0"
plugins:
- name: openid-connect
service: example-service
config:
issuer: "${{ env "DECK_ISSUER" }}"
client_id:
- "${{ env "DECK_CLIENT_ID" }}"
client_secret:
- "${{ env "DECK_CLIENT_SECRET" }}"
client_auth:
- client_secret_post
auth_methods:
- authorization_code
- session
response_mode: form_post
preserve_query_args: true
login_action: redirect
login_tokens:
authorization_endpoint: http://localhost:8080
' | deck gateway apply -
In this example:
-
issuer,client ID,client secret, andclient auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app). -
auth_methods: Specifies that the plugin should use session auth and the authorization code flow. -
response_mode: Set toform_postso that authorization codes won’t get logged to access logs. -
preserve_query_args: Preserves the original request query arguments through the authorization code flow redirection. -
login_action: Redirects the client to the original request URL after the authorization code flow. This turns the POST request into a GET request, and the browser address bar is updated with the original request query arguments. -
login_tokens: Configures the plugin so that tokens aren’t included in the browser address bar. -
authorization_endpoint: Sets a custom endpoint for authorization, overriding the endpoint returned by discovery through the IdP. We need this setting because we’re running the example through Docker, otherwise the discovery endpoint will try to access an internal Docker host.
Validate authorization code login
Access the Route you configured in the prerequisites with some query arguments. In a new browser tab, navigate to the following:
http://localhost:8000/anything?hello=world
The browser should be redirected to the Keycloak login page.
Let’s check what happens if you access the same URL using cURL:
curl -i -X GET "$KONNECT_PROXY_URL/anything?hello=world"
curl -i -X GET "http://localhost:8000/anything?hello=world"
You should see a 302 response with the session access token in the response, and a Location header that shows where the request is being redirected to.
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.