Configure OpenID Connect with claims-based authorization

Uses: Kong Gateway deck

Deployment Platform:

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Export your token to an environment variable:
```
 export KONNECT_TOKEN='YOUR_KONNECT_PAT'
```
Copied to clipboard!
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
```
 curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
```
Copied to clipboard!
This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:
```
 export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'
```
Copied to clipboard!
Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:
```
 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
```
Copied to clipboard!
Run the quickstart script:
```
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA 
```
Copied to clipboard!
Once Kong Gateway is ready, you will see the following message:
```
 Kong Gateway Ready
```

decK

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

Run the following command:

echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

      
        
      
    
Copied to clipboard!

To learn more about entities, you can read our entities documentation.

Set up Keycloak

This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.

Create a client

Install Keycloak (version 26 or later) on your platform.

For example, you can use the Keycloak Docker image:

 docker run -p 127.0.0.1:8080:8080 \
   -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
   -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
   quay.io/keycloak/keycloak start-dev

Copied to clipboard!

Open the admin console.

The default URL of the console is http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/.
In the sidebar, open Clients, then click Create client.
Configure the client:

Section	Settings
General settings	Client type: OpenID Connect Client ID: any unique name, for example `kong`
Capability config	Toggle Client authentication to on Make sure that Standard flow, Direct access grants, and Service accounts roles are checked.
Login settings	Valid redirect URIs: `http://localhost:8000/*`

Set up keys and credentials

In your client, open the Credentials tab.
Set Client Authenticator to Client ID and Secret.
Copy the Client Secret.
Switch to the Users menu and add a user.
Open the user’s Credentials tab and add a password. Be sure to disable Temporary Password.

In this guide, we’re going to use an example user named alex with the password doe.

Export to environment variables

Export your client secret, client ID, and issuer URL to environment variables so that you can pass them more securely. For example:

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export DECK_CLIENT_ID="kong"
export DECK_CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

Copied to clipboard!

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export DECK_CLIENT_ID="kong"
export DECK_CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

Copied to clipboard!

Enable the OpenID Connect plugin with claims-based authorization

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin. In this example, we’re using the simple password grant with the scopes_claim and scopes_required claims pair.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      client_id:
      - "${{ env "DECK_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_CLIENT_SECRET" }}"
      client_auth:
      - client_secret_post
      auth_methods:
      - password
      - bearer
      scopes_claim:
      - scope
      scopes_required:
      - openid
' | deck gateway apply -

      
        
      
    
Copied to clipboard!

In this example:

issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
auth_methods: Password grant, for easy testing, and the bearer grant so that we can authenticate using the JWT that we retrieve.
scopes_claim and scopes_required: Looks for a claim named scope in the payload, and checks that the scope contains openid.

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Retrieve the bearer token

Check that you can recover the token by requesting the Service with the basic authentication credentials created in the prerequisites:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -u alex:doe

Copied to clipboard!

You’ll see an Authorization header in the response.

Export the value of the header to an environment variable:

export TOKEN=YOUR_BEARER_TOKEN

Copied to clipboard!

Validate the token

Now, validate the setup by accessing the example-route Route and passing the token from the previous step:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -H "Authorization: $TOKEN"

Copied to clipboard!

If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200 response with your bearer token in the Authorization header.

If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:

X-Kong-Proxy-Latency: 25

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

FAQs

How do I check the scopes being passed in the token payload?

For troubleshooting or debugging purposes, you may want to check the scopes being passed in the payload. The signed JWT access token you receive in the response is composed of three parts, each separated with a dot (.) character: $HEADER.$PAYLOAD.$SIGNATURE. The payload portion contains the scopes information, encoded in base64 format.

Decode the payload in any tool you prefer. For example, you can use base64 and jq:

jq -n --arg p "$PAYLOAD" '$p | @base64d | fromjson'

Copied to clipboard!

The response will contain data about the user, including the scope:

"scope": "openid profile email",
"email_verified": false,
"preferred_username": "alex"

How can I check that I’m able to connect to my IdP?

If you’re running a self-managed Kong Gateway instance, you can check that the OpenID connect plugin is able to access the issuer URL with the /openid-connect/issuers/ endpoint:

curl http://localhost:8001/openid-connect/issuers

Copied to clipboard!

The results should contain the Keycloak OpenID Connect discovery document and keys. If the results only show the issuer URL and ID, then the connection was unsuccessful.