Home / How-to Guides
Edit
Report

Configure OpenID Connect with Consumer Group authorization

Uses: Kong Gateway deck
Deployment Platform
Related Documentation
Gateway Documentation decK Documentation
Tags
#authorization #openid-connect
Related Resources
OpenID Connect in Kong Gateway
Authentication in Kong Gateway
OpenID Connect authorization options
Consumer Group authorization in OIDC
OpenID Connect tutorials
Minimum Version
Kong Gateway - 3.12
TL;DR

Use the OpenID Connect plugin with Consumer Groups for authorization and dynamically map claim values to Consumer Groups. This only allows IdP users that have a matching Consumer Group in Kong Gateway to access your Services, giving you more control over which clients have access to Kong Gateway.

Set up client_credential authentication and enable Consumer Group mapping by setting a claim to map to.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK   v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Set up Keycloak

This tutorial requires an identity provider (IdP). If you don’t have one, you can use Keycloak. The steps will be similar in other standard identity providers.

Create a client

  1. Install Keycloak (version 26 or later) on your platform.

    For example, you can use the Keycloak Docker image:

     docker run -p 127.0.0.1:8080:8080 \
   -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
   -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
   quay.io/keycloak/keycloak start-dev

  2. Open the admin console.

    The default URL of the console is http://$YOUR_KEYCLOAK_HOST:8080/admin/master/console/.

  3. In the sidebar, open Clients, then click Create client.
  4. Configure the client:

Section

Settings
General settings
  • Client type: OpenID Connect
  • Client ID: kong
Capability config
  • Enable Client authentication.
  • Click the Service accounts roles checkbox.

Create a claim

  1. In your client, click the Client scopes tab.
  2. Click the kong-dedicated client scope.
  3. Click Configure a new mapper.
  4. Select Hardcoded claim.
  5. In the Name field, enter tier.
  6. In the Token Claim Name field, enter tier.
  7. In the Claim value field, enter gold.
  8. Click Save.

Set up keys and credentials

  1. In your client, open the Credentials tab.
  2. Set Client Authenticator to Client ID and Secret.
  3. Copy the Client Secret.

Export to environment variables

Export your client secret and issuer URL to environment variables so that you can pass them more securely. For example:

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

export DECK_ISSUER="http://host.docker.internal:8080/realms/master"
export CLIENT_SECRET="UNT3GPzCKI7zUbhAmFSUGbj4wmiBDGiW"

Enable the OpenID Connect plugin

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin. In this example, we’re using the client_credentials grant with the tier Consumer Group claim.

Enable the OpenID Connect plugin on the example-service Service:

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    service: example-service
    config:
      issuer: "${{ env "DECK_ISSUER" }}"
      auth_methods:
      - client_credentials
      consumer_groups_claim:
      - tier
' | deck gateway apply -

In this example:

  • issuer: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • auth_methods: Specifies that the plugin should use the client credentials grant.
  • consumer_group_claim: Looks for a client claim name in the token payload and maps it to the Consumer Group entity by the entity’s name value.

Create a Consumer Group

First, let’s try to access the Service without a matching Consumer Group. Request the Service with the basic authentication credentials created in the prerequisites:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -H "Authorization: Basic kong:wrong-secret"

 curl -i -X GET "http://localhost:8000/anything" \
     -H "Authorization: Basic kong:wrong-secret"

You should get a 401 Unauthorized error code, which means the Service is protected by claim authorization.

Create a Consumer Group with a name that matches the client claim value in your IdP, in this case gold:

echo '
_format_version: "3.0"
consumer_groups:
  - name: gold
' | deck gateway apply -

Verify Consumer Group authorization

Now, your configured Consumer Group can access the example-route Route by using client name and client secret in client-name:client-secret format:

 curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -H "Authorization: Basic kong:$CLIENT_SECRET"

 curl -i -X GET "http://localhost:8000/anything" \
     -H "Authorization: Basic kong:$CLIENT_SECRET"

This time, you should get a 200 response. The OIDC plugin decodes the token it receives from the IdP, finds the client claim value, and maps it to our Consumer Group gold.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support