Home / How-to Guides
Edit
Report

Configure OpenID Connect with the authorization code flow and Okta

Uses: Kong Gateway deck
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#authentication #openid-connect #okta
Related Resources
Configure OpenID Connect with the authorization code flow
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authentication flows and grants
Authorization code workflow
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.4
TL;DR

Using the OpenID Connect plugin, set up the auth code flow to connect to an identity provider (IdP) through a browser. You must specify your Okta app client ID, client secret, and issuer URL (for example: https://domain.okta.com/oauth2/a36f045h4597) in the OIDC plugin configuration. In addition, you must configure any scopes from Okta as well as your redirect URI in the plugin configuration.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Okta

You need an admin account for Okta. You also need an Okta user that you can use to test the OIDC auth code flow.

Ngrok

In this tutorial, we use ngrok to expose a local URL to the internet for local testing and development purposes. This isn’t a requirement for the plugin itself.

  1. Install ngrok.
  2. Sign up for an ngrok account and find your ngrok authtoken.
  3. Install the authtoken and connect the ngrok agent to your account: 
    ngrok config add-authtoken $TOKEN
  4. Run ngrok: 
    ngrok http localhost:8000
  5. In a new terminal window, export your forwarding URL as a decK environment variable appended with the /anything path you’ll use to log in: 
    export DECK_NGROK_HOST='YOUR-FORWARDING-URL/anything'

Create an application in Okta
  1. In Okta, navigate to Applications > Applications in the sidebar.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect.
  4. Select Web Application.
  5. Click Authorization Code for the grant type.
  6. In both the Sign-in redirect URIs and Sign-out redirect URIs fields, enter a location handled by your Route in Kong Gateway. In this tutorial, it will be your Ngrok host followed by /anything. For example: https://a36f045h4597.ngrok-free.app/anything
  7. In the Assignments section, for Controlled access, select Skip group assignment for now. We will assign the app to the test Okta user you created in the prerequisites next. Save your configuration.

    Do not select Allow everyone in your organization to access otherwise the access token won’t be verified against Okta.

  8. Export the client ID and client secret of your Okta app: 
    export DECK_OKTA_CLIENT_ID='YOUR-OKTA-APP-CLIENT-ID'
export DECK_OKTA_CLIENT_SECRET='YOUR-OKTA-APP-CLIENT-SECRET'
  9. In the Assignment tab, assign your app to your Okta test user.

Create an authorization server and access policy
  1. Using your Okta credentials, log in to the Okta portal and click Security > API in the sidebar.
  2. Create a server named Kong API Management with an audience and description.
  3. Copy the issuer URL for your authorization server, strip the /.well-known/oauth-authorization-server, and export it as an environment variable: 
    export DECK_ISSUER_URL='YOUR-ISSUER-URL'

    It should be formatted like https://domain.okta.com/oauth2/a36f045h4597.

  4. On the Access Policy tab, create a new access policy and assign the Okta application you just created.

  5. Add a new rule and configure the following settings:
    • Grant type: Authorization Code
    • User is: Any user assigned the app
    • Scopes requested: Any scopes

Enable the OpenID Connect plugin with the auth code flow

Set up an instance of the OpenID Connect plugin with the auth code flow and session authentication for Okta.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER_URL" }}"
      client_id:
      - "${{ env "DECK_OKTA_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_OKTA_CLIENT_SECRET" }}"
      redirect_uri:
      - "${{ env "DECK_NGROK_HOST" }}"
      scopes:
      - openid
      - email
      - profile
      auth_methods:
      - authorization_code
      token_endpoint_auth_method: client_secret_basic
      response_mode: form_post
' | deck gateway apply -

In this example:

  • issuer, client ID, client secret, and client auth: Settings that connect the plugin to your IdP (in this case, Okta).
  • auth_methods: Specifies that the plugin should use the authorization code flow.
  • response_mode: Set to form_post so that authorization codes don’t get logged to access logs.

Validate authorization code login

Access the Route you configured in the prerequisites. In a new browser tab, navigate to the following:

open $DECK_NGROK_HOST

The browser should be redirected to the Okta login page. You should be able to successfully log in with your Okta user account.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

How do I enable the Proof Key for Code Exchange (PKCE) extension to the authorization code flow in the OIDC plugin?

The OIDC plugin supports PKCE out of the box, so you don’t need to configure anything. When config.auth_methods is set to authorization_code, the plugin sends the required code_challenge parameter automatically with the authorization code flow request.

If the IdP connected to the plugin enforces PKCE, it will be used during the authorization code flow. If the IdP doesn’t support or enforce PCKE, it won’t be used.

How do I use custom scopes with the OIDC authorization code flow in Okta?

In Okta, make sure you add the custom claim to your authorization server scopes, claims, access policy, and access policy rules. Then, add your custom scope to config.scope_claim and to config.scopes in the OIDC plugin configuration.

How do I fix the "Cannot request 'openid' scopes error when I try to set up OIDC auth with Okta?

You can’t use the openid scope when using the client_credentials grant type with Okta. The way to fix this is to create a custom scope inside Okta and update the OpenID Connect plugin to reflect this change by adding it to scope_claim and scopes.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support