Configure OpenID Connect with client credentials
Using the OpenID Connect plugin, set up the client credentials grant flow to connect to an identity provider (IdP) by passing a client ID and client secret in a header.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'
Copied to clipboard! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
Copied to clipboard!This sets up a Konnect Control Plane named
quickstart
, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'
Copied to clipboard!Copy and paste these into your terminal to configure your session.
Enable the OpenID Connect plugin with the client credentials grant
Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin with the client credentials grant.
Enable the OpenID Connect plugin on the example-service
Service:
echo '
_format_version: "3.0"
plugins:
- name: openid-connect
service: example-service
config:
issuer: "${{ env "DECK_ISSUER" }}"
client_id:
- "${{ env "DECK_CLIENT_ID" }}"
client_secret:
- "${{ env "DECK_CLIENT_SECRET" }}"
client_auth:
- client_secret_post
auth_methods:
- client_credentials
client_credentials_param_type:
- header
' | deck gateway apply -
In this example:
-
issuer
,client ID
,client secret
, andclient auth
: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app). -
auth_methods
: Specifies that the plugin should use client credentials (client ID and secret) for authentication. -
client_credentials_param_type
: Restricts client credential lookup to request headers only.
Note: Setting
config.client_auth
toclient_secret_post
lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.
Validate the client credentials grant
Now, validate the setup by accessing the example-route
Route using the credentials in client-id:client-secret
format:
curl -i -X GET "$KONNECT_PROXY_URL/anything" \
-u $DECK_CLIENT_ID:$DECK_CLIENT_SECRET
curl -i -X GET "http://localhost:8000/anything" \
-u $DECK_CLIENT_ID:$DECK_CLIENT_SECRET
If Kong Gateway successfully authenticates with Keycloak, you’ll see a 200
response with your bearer token in the Authorization header.
If you make another request using the same credentials, you’ll see that Kong Gateway adds less latency to the request because it has cached the token endpoint call to Keycloak:
X-Kong-Proxy-Latency: 25
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.