Integrating with Kong Enterprise
This is a very capable Kong plugin that can be used for several use cases. This article will focus on configuring the plugin for introspection and especially as it relates to the introspection using the Phantom Token pattern. Some tweaks will be made so that a phantom token is provided in the introspection response and then passed on to the upstream API.
This article describes the Introspection and Phantom Tokens process.
- An installation of the Curity Identity Server
- An introspection endpoint configured with the Token Procedure Approach
If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.
Enable the OpenID Connect plugin for the Service, Route or Consumer.
|Parameter||Description||Example||Required for integration|
|Used for discovery. Kong appends ||Yes|
|ID of the client used for introspection.||Yes|
|Secret of the client used for introspection.||Yes|
|Optional scopes required in introspection result for authorization.||No|
|Optional audience required in introspection result for authorization.||No|
|Boolean value. This will prevent the incoming Access Token from being forwarded to the upstream API.||No|
|Accept header to be sent to introspection endpoint. The Curity Identity Server supports the ||Yes|
|Upstream header name that will hold the Phantom Token from the introspection result.||Yes|
|Several methods are supported for authenticating the request. For this use case this should be limited to ||No|
|Boolean value that controls if introspection result should be cached.||No|
|Boolean value that controls if JWTs sent in Authorization header should also be introspected.||No|
|Endpoint for introspection. Might be needed if discovery is not possible.||No|
The Kong Enterprise OpenID Connect plugin is a feature rich plugin to handle various OpenID Connect scenarios and can be configure and set up for introspection. With a few configurations it is possible to have Kong introspect an incoming token as well as passing a phantom token extracted from the introspection result onwards to the upstream API.