Configure OpenID Connect with ACL authorization

Uses: Kong Gateway decK
TL;DR

Using the OpenID Connect and ACL plugins, set up any type of authentication (the password grant, in this guide) and enable authorization through ACL groups.

Prerequisites

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'
    
    Copied to clipboard!
  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
    
    Copied to clipboard!

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
     export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
     export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
     export KONNECT_PROXY_URL='http://localhost:8000'
    
    Copied to clipboard!

    Copy and paste these into your terminal to configure your session.

Enable the OpenID Connect plugin

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin. In this example, we’re using the simple password grant with authenticated groups.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - password
      authenticated_groups_claim:
      - scope
' | deck gateway apply -
Copied to clipboard!

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use the password grant, for easy testing.
  • authenticated_groups_claim: Looks for a groups claim in an ACL.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Validate the OpenID Connect plugin configuration

Request the Service with the basic authentication credentials created in the prerequisites:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe
Copied to clipboard!

You should get an HTTP 200 response with an X-Authenticated-Groups header:

"X-Authenticated-Groups": "openid, email, profile"

Enable the ACL plugin and verify

Let’s try denying access to the openid group first:

echo '
_format_version: "3.0"
plugins:
  - name: acl
    service: example-service
    config:
      deny:
      - openid
' | deck gateway apply -
Copied to clipboard!

Try to access the /anything Route:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe
Copied to clipboard!

You should get a 403 Forbidden error code with the message You cannot consume this service.

Now let’s allow access to the openid group:

echo '
_format_version: "3.0"
plugins:
  - name: acl
    service: example-service
    config:
      allow:
      - openid
' | deck gateway apply -
Copied to clipboard!

And try accessing the /anything Route again:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe
Copied to clipboard!

This time, you should get a 200 response.

Cleanup

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!