OpenID Connect: Mutual TLS client authentication - Plugin

Mutual TLS client authentication

Configure the OpenID Connect plugin to use mutual TLS (mTLS) client authentication.

The following uses the password grant, but you can use any supported OpenID Connect auth method.

The configuration option config.tls_client_auth_ssl_verify controls whether the server (IdP) certificate is verified. When set to true (default), ensure that trusted certificate and verify depth are appropriately configured so that the IdP’s server certificate is trusted by Kong Gateway.

Prerequisites

A configured identity provider (IdP) configured with mTLS and X.509 client certificate authentication
A client certificate and key pair stored in a Certificate object

Environment variables

ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this: http://localhost:8080/realms/example-realm.
CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.
CERTIFICATE_ID: The UUID of a Certificate object in Kong Gateway, which contains a client cert and key pair.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_auth:
      - tls_client_auth
      auth_methods:
      - password
      tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
      tls_client_auth_ssl_verify: true

      
        
      
    
Copied to clipboard!

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_auth:
  - tls_client_auth
  auth_methods:
  - password
  tls_client_auth_cert_id: '$CERTIFICATE_ID'
  tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_auth = ["tls_client_auth"]
    auth_methods = ["password"]
    tls_client_auth_cert_id = var.certificate_id
    tls_client_auth_ssl_verify = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

      
        
      
    
Copied to clipboard!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate_id" {
  type = string
}

Copied to clipboard!

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    service: serviceName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_auth:
      - tls_client_auth
      auth_methods:
      - password
      tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
      tls_client_auth_ssl_verify: true

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_auth:
  - tls_client_auth
  auth_methods:
  - password
  tls_client_auth_cert_id: '$CERTIFICATE_ID'
  tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connect

Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_auth = ["tls_client_auth"]
    auth_methods = ["password"]
    tls_client_auth_cert_id = var.certificate_id
    tls_client_auth_ssl_verify = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

      
        
      
    
Copied to clipboard!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate_id" {
  type = string
}

Copied to clipboard!

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    route: routeName|Id
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_auth:
      - tls_client_auth
      auth_methods:
      - password
      tls_client_auth_cert_id: ${{ env "DECK_CERTIFICATE_ID" }}
      tls_client_auth_ssl_verify: true

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "openid-connect",
      "config": {
        "issuer": "'$ISSUER'",
        "client_id": [
          "'$CLIENT_ID'"
        ],
        "client_auth": [
          "tls_client_auth"
        ],
        "auth_methods": [
          "password"
        ],
        "tls_client_auth_cert_id": "'$CERTIFICATE_ID'",
        "tls_client_auth_ssl_verify": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  issuer: '$ISSUER'
  client_id:
  - '$CLIENT_ID'
  client_auth:
  - tls_client_auth
  auth_methods:
  - password
  tls_client_auth_cert_id: '$CERTIFICATE_ID'
  tls_client_auth_ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=openid-connect

Copied to clipboard!

kubectl annotate -n kong ingress  konghq.com/plugins=openid-connect

Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = var.issuer
    client_id = [var.client_id]
    client_auth = ["tls_client_auth"]
    auth_methods = ["password"]
    tls_client_auth_cert_id = var.certificate_id
    tls_client_auth_ssl_verify = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

      
        
      
    
Copied to clipboard!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate_id" {
  type = string
}

Copied to clipboard!

OpenID Connect

Mutual TLS client authentication

Prerequisites

Environment variables

Set up the plugin

Did this doc help?

Help us make these docs great!

Still need help