Kong: OAuth2 plugin: not dealing with external IDP

Created on 25 Jul 2016  路  3Comments  路  Source: Kong/kong

The current OAuth2 plugin doesn't support the use of an external Identity Provider such as Keycloak: http://www.keycloak.org

This would be useful specially for:

  • Client credentials flow
  • Implicit grant flow
pluginoauth2
Source
picture ghost
👍14

Most helpful comment

It would be great to see Keycloak compatibility.

picture PLBrick on 28 Jul 2016
👍3

All 3 comments

It would be great to see Keycloak compatibility.

PLBrick picture PLBrick on 28 Jul 2016
👍3

This would be great for us too, we are using DEX.

rsoletob picture rsoletob on 22 Aug 2016

@lg1712, @PLBrick, @rsoletob,

From open source Kong you have currently one or two options:

  • Kong JWT plugin (https://getkong.org/plugins/jwt/)
  • Nokia's Kong OIDC Plugin (https://github.com/nokia/kong-oidc)

With JWT plugin you can verify 3rd party issued JWT tokens such as those from Keycloak or Dex (e.g. tokens issued with implicit flow). But you have to configure the public keys on Kong side and keep them in sync with your identity provider as the plugin doesn't support OpenID Connect Discovery.

With Kong Enterprise you have more options:

  • OpenID Connect plugins (which also work with plain OAuth 2.0)
  • OAuth 2.0 Introspection plugin

Kong Enterprise comes with 4 OpenID Connect plugins:

  1. OpenID Connect (all-in-one) plugin
  2. OpenID Connect Authentication plugin (applied to global endpoint to initiate the authorization code flow and set up a session between Kong and the client)
  3. OpenID Connect Protection plugin (applied to invidual apis to protect access to those authenticated with the OpenID Connect Authentication plugin)
  4. OpenID Connect Verification plugin (stateless JWT verification, both access and id tokens)

The first one is rather interesting as it supports many authentication methods in one single plugin:

  • Password Grant
  • Client Credentials Grant
  • Authorization Code Flow
  • JWT Bearer Tokens with signature and claims verification
  • Opaque Bearer Tokens by introspecting them
  • Kong OAuth 2.0 Authentication plugin issued tokens

also:

  • Session cookie based authentication (this plugin sets up a HTTP only session cookie between Kong and client, after the client has authenticated with one of the ways mentioned above).
  • Refreshing access tokens automatically by using refresh token (if available)

The plugins have been tested with many 3rd party providers:

  • Auth0
  • Okta
  • Google
  • Microsoft Live Connect
  • Microsoft Azure AD (both 1.0 and 2.0 versions)
  • Yahoo!
  • Salesforce
  • Paypal
  • Connect2id
  • PingFederate
  • IdentityServer4
  • OpenAM
  • Gluu
  • Keycloak
  • Dex

It supports auto-configuration by using OpenID Connect discovery, and automatically reloads the public keys as well for stateless JWT (actually JWS) signature verification with several algorithms:

  • HS256
  • HS384
  • HS512
  • RS256
  • RS512
  • ES256
  • ES384
  • ES512
  • PS256
  • PS384
  • PS512

Learn more about Kong Priority Support, Products, HA, Demo, Training, API Certifications and Professional Services.

As this will in my opinion answer the question, I will close this.

bungle picture bungle on 8 Aug 2017
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeremyxu2010 picture jeremyxu2010  路  39Comments
plukevdh picture plukevdh  路  52Comments
jeremyjpj0916 picture jeremyjpj0916  路  34Comments
SunshineYang picture SunshineYang  路  39Comments
ahmadnassri picture ahmadnassri  路  59Comments