Integrating with Kong

Integrating with Kong



This tutorial describes how to integrate Kong Enterprise and the Curity Identity Server using the Kong OAuth 2.0 Introspection plugin.

Setting up Introspection using this Kong plugin is very trivial. We will however make some tweaks to the flow so that a phantom token is provided in the introspection response and then passed on to the upstream API. We will also configure Kong to not pass the original access token to the upstream API.

This article describes the Introspection and Phantom Tokens process.


If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.

Configure Kong

Enable the OAuth 2.0 introspection plugin for the Service, Route or Consumer.

config.authorization_valueThis is the value that will be sent in the Authorization header to the Curity Introspection endpoint.Basic Y2xpZW50X2lkOnBhJCR3MHJk where Y2xpZW50X2lkOnBhJCR3MHJk is the base64 encoded representation of the client_id:pa$$w0rd
config.custom_claims_forwardWhen Kong performs the Introspection a phantom token will be returned in the response. This setting is used to pass on the token to the upstream API. A header named X-Credential-Phantom-Token will be added with the value of the phantom token.phantom_token
config.hide_credentialsThis will prevent the incoming Access Token to be forwarded to the upstream API
config.introspection_urlSet to the Introspection endpoint of the Curity Identity Server.


The Kong Enterprise plugin for OAuth 2.0 Introspection is fairly trivial to configure and set up for introspection. With a few minor configurations on the Kong side and Curity side it is possible to have Kong remove the Access Token from the upstream request as well as passing a phantom token extracted from the introspection result.


Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Keep up with our latest articles and how-tos using RSS feeds