Home / How-to Guides
Edit
Report

Configure OpenID Connect with the authorization code flow and Okta

Uses: Kong Gateway deck
Deployment Platform
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#authentication #openid-connect #okta
Related Resources
Configure OpenID Connect with the authorization code flow
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authentication flows and grants
Authorization code workflow
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Using the OpenID Connect plugin, set up the auth code flow to connect to an identity provider (IdP) through a browser. You must specify your Okta app client ID, client secret, and issuer URL (for example: https://domain.okta.com/oauth2/a36f045h4597) in the OIDC plugin configuration. In addition, you must configure any scopes from Okta as well as your redirect URI in the plugin configuration.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Create an application in Okta
  1. In Okta, navigate to Applications > Applications in the sidebar.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect.
  4. Select Web Application.
  5. Click Authorization Code for the grant type.
  6. In both the Sign-in redirect URIs and Sign-out redirect URIs fields, enter a location handled by your Route in Kong Gateway. In this tutorial, it will be your Ngrok host followed by /anything. For example: https://a36f045h4597.ngrok-free.app/anything
  7. In the Assignments section, for Controlled access, select Skip group assignment for now. We will assign the app to the test Okta user you created in the prerequisites next. Save your configuration.

    Do not select Allow everyone in your organization to access otherwise the access token won’t be verified against Okta.

  8. Export the client ID and client secret of your Okta app:

    export DECK_OKTA_CLIENT_ID="YOUR-OKTA-APP-CLIENT-ID"
export DECK_OKTA_CLIENT_SECRET="YOUR-OKTA-APP-CLIENT-SECRET"
  9. In the Assignment tab, assign your app to your Okta test user.

Create an authorization server and access policy
  1. Using your Okta credentials, log in to the Okta portal and click Security > API in the sidebar.
  2. Create a server named Kong API Management with an audience and description.

  3. Copy the issuer URL for your authorization server, strip the /.well-known/oauth-authorization-server, and export it as an environment variable:

    export DECK_ISSUER_URL="YOUR-ISSUER-URL"

    It should be formatted like https://domain.okta.com/oauth2/a36f045h4597.

  4. On the Access Policy tab, create a new access policy and assign the Okta application you just created.

  5. Add a new rule and configure the following settings:
    • Grant type: Authorization Code
    • User is: Any user assigned the app
    • Scopes requested: Any scopes

Enable the OpenID Connect plugin with the auth code flow

Set up an instance of the OpenID Connect plugin with the auth code flow and session authentication for Okta.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER_URL" }}"
      client_id:
      - "${{ env "DECK_OKTA_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_OKTA_CLIENT_SECRET" }}"
      redirect_uri:
      - "${{ env "DECK_NGROK_HOST" }}"
      scopes:
      - openid
      - email
      - profile
      auth_methods:
      - authorization_code
      token_endpoint_auth_method: client_secret_basic
      response_mode: form_post
' | deck gateway apply -

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, Okta).
  • auth_methods: Specifies that the plugin should use the authorization code flow.
  • response_mode: Set to form_post so that authorization codes don’t get logged to access logs.

Validate authorization code login

Access the Route you configured in the prerequisites. In a new browser tab, navigate to the following:

open $DECK_NGROK_HOST

The browser should be redirected to the Okta login page. You should be able to successfully log in with your Okta user account.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

FAQs

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support