Integrating with Kong Enterprise

Integrating with Kong Enterprise


This tutorial describes how to integrate Kong Enterprise and the Curity Identity Server using the Kong OpenID Connect plugin.

This is a very capable Kong plugin that can be used for several use cases. This article will focus on configuring the plugin for introspection and especially as it relates to the introspection using the Phantom Token pattern. Some tweaks will be made so that a phantom token is provided in the introspection response and then passed on to the upstream API.

This article describes the Introspection and Phantom Tokens process.


If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.

Configure Kong

Enable the OpenID Connect plugin for the Service, Route or Consumer.

ParameterDescriptionExampleRequired for integration
config.issuerUsed for discovery. Kong appends /.well-known/openid-configuration. Should be set to the realm or iss if no discovery endpoint is available.
config.client_idID of the client used for introspectiongateway-clientYes
config.client_secretSecret of the client used for introspectionPassword1Yes
config.scopes_requiredOptional scopes required in introspection result for authorization.records_read records_write emailNo
config.hide_credentialsBoolean value. This will prevent the incoming Access Token from being forwarded to the upstream API.trueNo
config.upstream_headers_claimsContains claim that holds Phantom Token in the introspection result.phantom_tokenYes
config.upstream_headers_namesContains upstream header name that will hold the Phantom Token from the introspection result.phantom_tokenYes
config.auth_methodsSeveral methods are supported for authenticating the request. For this use case this should be limited to introspection.introspectionNo
config.cache_introspectionBoolean value that controls if introspection result should be cached.trueNo
config.introspect_jwt_tokensBoolean value that controls if JWTs sent in Authorization header should also be introspected.falseNo
config.introspection_endpointEndpoint for introspection. Might be needed if discovery is not possible.


The Kong Enterprise OpenID Connect plugin is a feature rich plugin to handle various OpenID Connect scenarios and can be configure and set up for introspection. With a few configurations it is possible to have Kong introspect an incoming token as well as passing a phantom token extracted from the introspection result onwards to the upstream API.