This tutorial describes how to integrate Kong Enterprise and the Curity Identity Server using the Kong OAuth 2.0 Introspection plugin.
Setting up Introspection using this Kong plugin is very trivial. We will however make some tweaks to the flow so that a phantom token is provided in the introspection response and then passed on to the upstream API. We will also configure Kong to not pass the original access token to the upstream API.
This article describes the Introspection and Phantom Tokens process.
- An installation of the Curity Identity Server
- An introspection endpoint configured with the Token Procedure Approach
If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.
Enable the OAuth 2.0 introspection plugin for the Service, Route or Consumer.
|This is the value that will be sent in the |
|When Kong performs the Introspection a phantom token will be returned in the response. This setting is used to pass on the token to the upstream API. A header named |
|This will prevent the incoming Access Token to be forwarded to the upstream API|
|Set to the Introspection endpoint of the Curity Identity Server.|
The Kong Enterprise plugin for OAuth 2.0 Introspection is fairly trivial to configure and set up for introspection. With a few minor configurations on the Kong side and Curity side it is possible to have Kong remove the Access Token from the upstream request as well as passing a phantom token extracted from the introspection result.
- Kong documentation for OAuth 2.0 introspection plugin
- Information on the Introspection and Phantom Tokens flow
- Installing the Curity Identity Server
- Details on the Curity Basic Setup Wizard
Let’s Stay in Touch!
Get the latest on identity management, API Security and authentication straight to your inbox.