Integrating with Kong Enterprise

Integrating with Kong Enterprise

Overview

This tutorial describes how to integrate Kong Enterprise and the Curity Identity Server using the Kong OpenID Connect plugin.

This is a very capable Kong plugin that can be used for several use cases. This article will focus on configuring the plugin for introspection and especially as it relates to the introspection using the Phantom Token pattern. Some tweaks will be made so that a phantom token is provided in the introspection response and then passed on to the upstream API.

This article describes the Introspection and Phantom Tokens process.

Prerequisites

If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.

Configure Kong

Enable the OpenID Connect plugin for the Service, Route or Consumer.

ParameterDescriptionExampleRequired for integration
config.issuerUsed for discovery. Kong appends /.well-known/openid-configuration. Should be set to the realm or iss if no discovery endpoint is available.https://idsvr.example.com/oauth/v2/oauth-anonymousYes
config.client_idID of the client used for introspection.gateway-clientYes
config.client_secretSecret of the client used for introspection.Pa$$word1!Yes
config.scopes_requiredOptional scopes required in introspection result for authorization.records_read records_write emailNo
config.audience_requiredOptional audience required in introspection result for authorization.app1No
config.hide_credentialsBoolean value. This will prevent the incoming Access Token from being forwarded to the upstream API.trueNo
config.introspection_acceptAccept header to be sent to introspection endpoint. The Curity Identity Server supports the application/jwt header and with that will return the JWT directly in the introspection response.application/jwtYes
config.upstream_introspection_jwt_headerUpstream header name that will hold the Phantom Token from the introspection result.authorizationYes
config.auth_methodsSeveral methods are supported for authenticating the request. For this use case this should be limited to introspection.introspectionNo
config.cache_introspectionBoolean value that controls if introspection result should be cached.trueNo
config.introspect_jwt_tokensBoolean value that controls if JWTs sent in Authorization header should also be introspected.falseNo
config.introspection_endpointEndpoint for introspection. Might be needed if discovery is not possible.https://idsvr.example.com/oauth/v2/oauth-introspectNo

Conclusion

The Kong Enterprise OpenID Connect plugin is a feature rich plugin to handle various OpenID Connect scenarios and can be configure and set up for introspection. With a few configurations it is possible to have Kong introspect an incoming token as well as passing a phantom token extracted from the introspection result onwards to the upstream API.

Resources