Kong Gateway allows Kong Manager administrators to link their authentication to an third party identity providers using OIDC.
Kong Gateway allows Kong Manager administrators to link their authentication to an third party identity providers using OIDC.
OIDC stands for Openid Connect, which is an authentication layer built on top of the OAuth 2.0 protocol. It allows clients (such as web applications or mobile apps) to verify the identity of end-users based on the authentication performed by an authorization server, as well as to obtain basic profile information about the user.
Openid connect provides features such as authentication via signed tokens, session management, and standard mechanisms for obtaining user information. It is widely used in modern web applications and APIs to provide secure and user-friendly authentication experiences.
Integrate Kong Manager with OIDC using okta as idp.
We are using okta as identity provider. Create app integration with OIDC sign-in method, web application type in okta and give your manager url as signin and signout url’s.
Control access to users at group level or organization level
Create a new authorization sever, click on that authorization server go to claims tab and create a new id claim for all groups.
Create access policy to your application and add rule, while adding rule only select authorization code.
Now configure kong manager to use okta as a identity provider.
In control plane values file in enterprise block under rbac section place the below lines.
admin_gui_auth=openid-connect
admin_gui_auth_conf_secret: kong-idp
Create kong-idp secret with below command. Replace client id, client secret, issuer url, redirect uri and login redirect uri with your details. You can find client id and client secret values in your okta application which you created earlier. Issuer can be found in your okta authorization server.
kubectl create secret generic kong-idp -n kong-enterprise –from-literal=admin_gui_auth_conf='{
“issuer”: “your issuer url”,
“admin_claim”: “email”,
“client_id”: [“your client id”],
“client_secret”: [“your client secret”],
“authenticated_groups_claim”: [“Kong-gateway”],
“ssl_verify”: false,
“redirect_uri”: [“kong-manager-url”],
“login_redirect_uri”: [“kong-manager-url”],
“logout_methods”: [“GET”, “DELETE”],
“logout_query_arg”: “logout”,
“logout_redirect_uri”: [“kong-manager-url”],
“scopes”: [“openid”,“profile”,“email”,“offline_access”],
“auth_methods”: [“authorization_code”],
“admin_auto_create_rbac_token_disabled”: false
}‘
Now if you open kong manager url, you will be redirected to okta.
Integrate Kong dev portal with OIDC pulgin using okta as idp.
We can mention multiple sign-in redirect uri’s and sign-out redirect uri’s in okta application. Mention your kong dev portal url in the same application or you can create new application and select your application in your authorization server access policies.
In control plane yaml under env section place below portal auth details
portal_auth=openid-connect
portal_auth_conf:
valueFrom:
secretKeyRef:
name: kong-idp-portal
key: portal_auth_conf
Create a kong-idp-portal secret
kubectl create secret generic kong-idp-conf -n kong-enterprise –from-literal=portal_auth_conf='{
“logout_methods”: [
“GET”
],
“forbidden_redirect_uri”: [
“replace with your dev portal url/unauthorized”
],
“login_redirect_uri”: [
“replace with your dev portal url”,
“replace with your dev portal url/auth”
],
“logout_redirect_uri”: [
“replace with your dev portal url”,
“replace with your dev portal url/auth”
],
“client_secret”: [
“replace with your client secret”
],
“issuer”: “replace with your issuer url”,
“login_action”: “redirect”,
“redirect_uri”: [
“replace with your dev portal url/auth”
],
“ssl_verify”: false,
“scopes”: [
“openid”,
“profile”,
“email”,
“offline_access”
],
“client_id”: [
“replace with your client id”
],
“session_cookie_domain”: “replace with your domain name”,
“leeway”: 1000,
“consumer_by”: [
“username”,
“custom_id”,
“id”
],
“consumer_claim”: [
“email”
],
“login_redirect_mode”: “query”,
“logout_query_arg”: “logout”
}‘
Configure route with OIDC pulgin through admin api using okta as idp.
As explained above i am using same application for my route OIDC integration also. In sign-in redirect uri and signout redirect uri fields mention your route url.
curl -i -X POST https://KONG_ADMIN_URL/routes/ROUTE_ID/plugins \
—data name=“openid-connect” \
—data config.issuer=“replace with your okta url” \
—data config.client_id=“replace with your CLIENT_ID” \
—data config.client_secret=“replace with your CLIENT_SECRET” \
—data config.redirect_uri=“replace with route url” \
—data config.scopes_claim=“scp” \
—data config.scopes=“openid” \
—data config.scopes=“email” \
—data config.scopes=“profile” \
—data config.auth_methods=authorization_code
