Configure OpenID Connect with Kong Oauth2 token authentication
Using the OpenID Connect plugin, set up the OAuth2 authentication workflow with the OAuth2 plugin to retrieve and verify tokens from Kong Gateway, then use them with an IdP.
Prerequisites
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'Copied to clipboard! -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATACopied to clipboard!Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Create a Consumer with OAuth2 credentials
First, create a Consumer and assign OAuth2 credentials to them. We’ll use these credentials to generate access tokens.
echo '
_format_version: "3.0"
consumers:
- username: alex
oauth2_credentials:
- client_secret: secret
client_id: client
hash_secret: true
name: oauth2-app
' | deck gateway apply -
Enable the OAuth2 plugin
The OAuth2 plugin adds an OAuth 2.0 authentication layer to Kong Gateway and lets you generate access tokens for Consumers.
First, you’ll need a key to provision the plugin. Generate a UUID and export it to an environment variable:
export DECK_PROVISION_KEY=$(uuidgen)
Apply the OAuth2 plugin to the example-route Route you created in the prerequisites:
echo '
_format_version: "3.0"
plugins:
- name: oauth2
route: example-route
config:
global_credentials: true
enable_client_credentials: true
provision_key: "${{ env "DECK_PROVISION_KEY" }}"
' | deck gateway apply -
Enable the OpenID Connect plugin with Kong OAuth token authentication
Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with Kong OAuth token authentication.
Enable the OpenID Connect plugin on the example-service Service:
echo '
_format_version: "3.0"
plugins:
- name: openid-connect
service: example-service
config:
issuer: "${{ env "DECK_ISSUER" }}"
client_id:
- "${{ env "DECK_CLIENT_ID" }}"
client_secret:
- "${{ env "DECK_CLIENT_SECRET" }}"
client_auth:
- client_secret_post
auth_methods:
- kong_oauth2
bearer_token_param_type:
- header
' | deck gateway apply -
In this example:
-
issuer,client ID,client secret, andclient auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app). -
auth_methods: Specifies that the plugin should use Kong’s OAuth2 token for authentication. -
bearer_token_param_type: Restricts token lookup to the request headers only.
Note: Setting
config.client_authtoclient_secret_postlets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Retrieve the access token
Retrieve the token from the OAuth token endpoint:
curl -X POST --insecure https://localhost:8443/anything/oauth2/token \
--data "client_id=client" \
--data "client_secret=secret" \
--data "grant_type=client_credentials"
You should see an access-token in the response.
Export the token to an environment variable:
export ACCESS_TOKEN='YOUR_ACCESS_TOKEN'
Validate the access token flow
Now, validate the setup by accessing the example-route Route and passing the bearer token you received from the Kong OAuth plugin:
curl -i -X GET "http://localhost:8000/anything" \
-H "Authorization: Bearer $ACCESS_TOKEN"
If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.
If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:
X-Kong-Proxy-Latency: 25
Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d