Integrating with Kong Enterprise
On this page
Overview
This tutorial describes how to integrate Kong Enterprise and the Curity Identity Server using the Kong OpenID Connect plugin.
This is a very capable Kong plugin that can be used for several use cases. This article will focus on configuring the plugin for introspection and especially as it relates to the introspection using the Phantom Token pattern. Some tweaks will be made so that a phantom token is provided in the introspection response and then passed on to the upstream API.
This article describes the Introspection and Phantom Tokens process.
Prerequisites
- An installation of the Curity Identity Server
- An introspection endpoint configured with the Token Procedure Approach
If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.
Configure Kong
Enable the OpenID Connect plugin for the Service, Route or Consumer.
| Parameter | Description | Example | Required for integration |
|---|---|---|---|
config.issuer | Used for discovery. Kong appends /.well-known/openid-configuration. Should be set to the realm or iss if no discovery endpoint is available. | https://idsvr.example.com/oauth/v2/oauth-anonymous | Yes |
config.client_id | ID of the client used for introspection. | gateway-client | Yes |
config.client_secret | Secret of the client used for introspection. | Pa$$word1! | Yes |
config.scopes_required | Optional scopes required in introspection result for authorization. | records_read records_write email | No |
config.audience_required | Optional audience required in introspection result for authorization. | app1 | No |
config.hide_credentials | Boolean value. This will prevent the incoming Access Token from being forwarded to the upstream API. | true | No |
config.introspection_accept | Accept header to be sent to introspection endpoint. The Curity Identity Server supports the application/jwt header and with that will return the JWT directly in the introspection response. | application/jwt | Yes |
config.upstream_introspection_jwt_header | Upstream header name that will hold the Phantom Token from the introspection result. | authorization | Yes |
config.auth_methods | Several methods are supported for authenticating the request. For this use case this should be limited to introspection. | introspection | No |
config.cache_introspection | Boolean value that controls if introspection result should be cached. | true | No |
config.introspect_jwt_tokens | Boolean value that controls if JWTs sent in Authorization header should also be introspected. | false | No |
config.introspection_endpoint | Endpoint for introspection. Might be needed if discovery is not possible. | https://idsvr.example.com/oauth/v2/oauth-introspect | No |
Conclusion
The Kong Enterprise OpenID Connect plugin is a feature rich plugin to handle various OpenID Connect scenarios and can be configure and set up for introspection. With a few configurations it is possible to have Kong introspect an incoming token as well as passing a phantom token extracted from the introspection result onwards to the upstream API.
Resources
- Kong documentation for OpenID Connect plugin
- Information on the Introspection and Phantom Tokens flow
- Installing the Curity Identity Server
- Details on the Curity Basic Setup Wizard
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
