Looking for the plugin's configuration parameters? You can find them in the OpenID Connect configuration reference doc.
This plugin includes many configuration parameters that allow finely grained customization. The following steps will help you get started setting up the plugin:
-
Configure:
config.issuer
.This parameter tells the plugin where to find discovery information, and it is the only required parameter. You should set the value
realm
oriss
on this parameter if you don’t have a discovery endpoint.Note: This does not have to match the URL of the
iss
claim in the access tokens being validated. To set URLs supported in theiss
claim, useconfig.issuers_allowed
. -
Decide what authentication grants to use with this plugin and configure the
config.auth_methods
field accordingly.In order to restrict the scope of potential attacks, the parameter should only contain the grants that you want to use.
-
In many cases, you also need to specify
config.client_id
, and if your identity provider requires authentication, such as on a token endpoint, you will need to specify the client authentication credentials too, for exampleconfig.client_secret
. -
If you are using a public identity provider, such as Google, you should limit the audience with
config.audience_required
to contain only yourconfig.client_id
. You may also need to adjustconfig.audience_claim
in case your identity provider uses a non-standard claim (other thanaud
as specified in JWT standard). This is important because some identity providers, such as Google, share public keys with different clients. -
If you are using Kong in DB-less mode with a declarative configuration and session cookie authentication, you should set
config.session_secret
. Leaving this parameter unset will result in every Nginx worker across your nodes encrypting and signing the cookies with their own secrets.
In summary, start with the following parameters:
config.issuer
config.auth_methods
-
config.client_id
(and in many cases the client authentication credentials) -
config.audience_required
(if using a public identity provider) -
config.session_secret
(if using Kong in DB-less mode)
Then, further customize the plugin configuration based on the flow or grant that you want to use.
For all available configuration parameters, see the OpenID Connect configuration reference.