Home / How-to Guides
Edit
Report

Configure OpenID Connect with the password grant

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#authentication #openid-connect
Related Resources
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authentication flows and grants
Password grant workflow
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Using the OpenID Connect plugin, set up the password grant flow to connect to an identity provider (IdP) by passing a username and password in a header.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'
    Copied to clipboard!

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
    Copied to clipboard!

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'
    Copied to clipboard!

    Copy and paste these into your terminal to configure your session.

Enable the OpenID Connect plugin with the password grant

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with the password grant.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - password
      password_param_type:
      - header
' | deck gateway apply -
Copied to clipboard!

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use the password grant for authentication.
  • password_param_type: Restricts username and password lookup to request headers only.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Validate the password grant

Now, validate the setup by accessing the example-route Route and passing the user credentials in username:password format. The following user has the username alex and the password doe:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe
Copied to clipboard!

If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.

If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:

X-Kong-Proxy-Latency: 25

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support