OpenID Connect (1.0) plugin allows the integration with a 3rd party identity provider (IdP) or Kong OAuth 2.0 Plugin in a standardized way. This plugin can be used to implement Kong as a (proxying) OAuth 2.0 resource server (RS) and / or as an OpenID Connect relying party (RP) between the client and the upstream service.
The plugin supports several types of credentials, including:
- Signed JWT access tokens (JWS) with the standardized signing algorithms (JWA)
- Opaque access tokens with either Kong OAuth 2.0 plugin issued tokens or 3rd party IdP issued ones through token introspection (IdP needs to support it)
- Username and password through the OAuth 2.0 password grant (the plugin will automatically exchange such credentials with access token by calling the IdP's token endpoint)
- Client id and secret through the OAuth 2.0 client credentials grant (the plugin will automatically exchange such credentials with access token by calling the IdP's token endpoint)
- Authorization code that the OpenID Connect plugin can retrieve from the client when using OpenID Connect authorization code flow
- Session cookie credentials that the plugin can setup between the client and Kong (usually used with web browser clients together with authorization code grant)
This plugin can automatically refresh the access token using a refresh token.
You can either let the plugin to exclusively talk your IdP as a trusted client (and let it do all the credential exchange) or you can let clients talk to IdP directly, and then present access token to the upstream service protected with the OpenID Connect plugin (or you can do both).
Some of the capabilities of the plugin are listed below:
- WebFinger and OpenID Connect Discovery
- ID Token verification
- UserInfo endpoint data injecting
- RP-Initiated Logout
- OAuth 2.0 Token Revovation during the logout (optionally)
- OAuth 2.0 Token Introspection support
- OAuth 2.0 Proof Key for Code Exchange (PKCE) support
- Standard and configurable claims verification
- Caching (optional) of token, introspection and user info endpoint request
The plugin has been tested with several OpenID Connect capable providers such as:
- Microsoft Azure Active Directory v1
- Microsoft Azure Active Directory v2
- Microsoft Live Connect
As long as your provider supports OpenID Connect standards the plugin should work, even if it is not specifically tested against it. Let us know if you want your provider to be tested and added to the list.
Once applied, any user with a valid credential can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create whitelist or blacklist groups of users.
This plugin is only available with a Kong Enterprise subscription.
If you are not a Kong Enterprise customer, you can inquire about our Enterprise offering by contacting us.