Home / How-to Guides
Edit
Report

Secure A2A endpoints with OpenID Connect and Okta

Uses: Kong Gateway AI Gateway deck
Deployment Platform
Related Documentation
Gateway Documentation decK Documentation
Tags
#ai #a2a #authentication #openid-connect #okta
Related Resources
AI A2A Proxy plugin reference
OpenID Connect plugin reference
Proxy A2A agents through AI Gateway
Secure A2A endpoints with key authentication
Minimum Version
Kong Gateway - 3.14
TL;DR

Enable the OpenID Connect plugin on the same Route as the AI A2A Proxy plugin. Configure it with your Okta issuer URL and client credentials. Requests without a valid bearer token are rejected with 401. Authenticated requests are proxied to the upstream A2A agent.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK   v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: a2a-currency-agent
    url: http://host.docker.internal:10000
routes:
  - name: a2a-route
    paths:
    - "/a2a"
    strip_path: true
    service:
      name: a2a-currency-agent
    protocols:
    - http
    - https
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

OpenAI API key

This tutorial uses OpenAI:

  1. Create an OpenAI account.
  2. Get an API key.

  3. Create a decK variable with the API key:

    export DECK_OPENAI_API_KEY='YOUR OPENAI API KEY'

A2A agent

You need a running A2A-compliant agent. This guide uses a sample currency conversion agent from the A2A project.

Create a docker-compose.yaml file:

cat <<'EOF' > docker-compose.yaml
services:
  a2a-agent:
    container_name: a2a-currency-agent
    build:
      context: .
      dockerfile_inline: |
        FROM python:3.12-slim
        WORKDIR /app
        RUN pip install uv && apt-get update && apt-get install -y git
        RUN git clone --depth 1 https://github.com/a2aproject/a2a-samples.git /tmp/a2a && \
            cp -r /tmp/a2a/samples/python/agents/langgraph/* . && \
            rm -rf /tmp/a2a
        ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
        RUN uv sync --frozen --no-dev
        EXPOSE 10000
        CMD ["uv", "run", "app", "--host", "0.0.0.0"]
    environment:
      - model_source=openai
      - API_KEY=${DECK_OPENAI_API_KEY}
      - TOOL_LLM_URL=https://api.openai.com/v1
      - TOOL_LLM_NAME=gpt-5.1
    ports:
      - "10000:10000"
EOF

Export your OpenAI API key and start the agent:

export DECK_OPENAI_API_KEY='your-openai-key'
docker compose up --build -d

The agent listens on port 10000 and uses the A2A JSON-RPC protocol to handle currency conversion queries. In this guide, the gateway service points to host.docker.internal:10000 instead of the container name because Kong Gateway runs in its own container with a separate DNS resolver.

Okta

You need an Okta admin account with a developer organization.

Add a custom scope

  1. Go to Security > API > Authorization Servers.
  2. Click default.
  3. Go to the Scopes tab.
  4. Click Add Scope.
  5. Name: api:access
  6. Display phrase: Access protected APIs
  7. Check Set as a default scope.
  8. Click Create.

Add an access policy

  1. In the same default authorization server, go to the Access Policies tab.
  2. Click Add Policy.
  3. Name: API Access
  4. Assign to: All clients
  5. Click Create Policy.

Add a rule to the policy

  1. Inside the API Access policy, click Add Rule.
  2. Rule Name: Allow API Access
  3. Grant type: check Client Credentials.
  4. Scopes requested: Any scopes
  5. Click Create Rule.

Create a web application

  1. Go to Applications > Applications > Create App Integration.
  2. Sign-in method: OIDC - OpenID Connect
  3. Application type: Web Application
  4. App integration name: Kong Gateway
  5. Grant types: check Client Credentials.
  6. Assignments: Skip group assignment for now
  7. Click Save.
  8. Copy the Client ID and Client Secret.

Export environment variables

  1. Go to Security > API > Authorization Servers.
  2. Click the default server.
  3. Copy the Issuer URI (for example, https://your-org.okta.com/oauth2/default).

  4. Export the following environment variables:

     export DECK_OKTA_ISSUER='https://your-org.okta.com/oauth2/default'
 export DECK_OKTA_CLIENT_ID='your-client-id'
 export DECK_OKTA_CLIENT_SECRET='your-client-secret'

Enable the AI A2A Proxy plugin

The AI A2A Proxy plugin parses A2A JSON-RPC requests and proxies them to the upstream agent.

echo '
_format_version: "3.0"
plugins:
  - name: ai-a2a-proxy
    config:
      logging:
        log_statistics: true
        log_payloads: true
' | deck gateway apply -

Enable the OpenID Connect plugin

Configure the OpenID Connect plugin on the A2A Route. The plugin validates bearer tokens issued by Okta using JWKS auto-discovery from the issuer URL.

echo '
_format_version: "3.0"
plugins:
  - name: openid-connect
    route: a2a-route
    config:
      issuer: "${{ env "DECK_OKTA_ISSUER" }}"
      client_id:
      - "${{ env "DECK_OKTA_CLIENT_ID" }}"
      client_secret:
      - "${{ env "DECK_OKTA_CLIENT_SECRET" }}"
      auth_methods:
      - bearer
' | deck gateway apply -

All requests to the A2A Route now require a valid bearer token from Okta.

Validate unauthenticated requests are rejected

Send an A2A request without a token:

curl -X POST "$KONNECT_PROXY_URL/a2a" \
     --no-progress-meter --fail-with-body  \
     -H "Content-Type: application/json" \
     --json '{
       "jsonrpc": "2.0",
       "id": "1",
       "method": "message/send",
       "params": {
         "message": {
           "kind": "message",
           "messageId": "msg-001",
           "role": "user",
           "parts": [
             {
               "kind": "text",
               "text": "How much is 100 USD in EUR?"
             }
           ]
         }
       }
     }'

You should see the following response:

401 Unauthorized

curl -X POST "http://localhost:8000/a2a" \
     --no-progress-meter --fail-with-body  \
     -H "Content-Type: application/json" \
     --json '{
       "jsonrpc": "2.0",
       "id": "1",
       "method": "message/send",
       "params": {
         "message": {
           "kind": "message",
           "messageId": "msg-001",
           "role": "user",
           "parts": [
             {
               "kind": "text",
               "text": "How much is 100 USD in EUR?"
             }
           ]
         }
       }
     }'

You should see the following response:

401 Unauthorized

Validate authenticated requests succeed

Obtain a token from Okta using client credentials:

export TOKEN=$(curl -s -X POST \
  $DECK_OKTA_ISSUER/v1/token \
  -d "grant_type=client_credentials" \
  -d "client_id=$DECK_OKTA_CLIENT_ID" \
  -d "client_secret=$DECK_OKTA_CLIENT_SECRET" \
  -d "scope=api:access" | jq -r '.access_token')

Send the A2A request with the token:

curl -X POST "$KONNECT_PROXY_URL/a2a" \
     --no-progress-meter --fail-with-body  \
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $TOKEN" \
     --json '{
       "jsonrpc": "2.0",
       "id": "1",
       "method": "message/send",
       "params": {
         "message": {
           "kind": "message",
           "messageId": "msg-001",
           "role": "user",
           "parts": [
             {
               "kind": "text",
               "text": "How much is 100 USD in EUR?"
             }
           ]
         }
       }
     }'

curl -X POST "http://localhost:8000/a2a" \
     --no-progress-meter --fail-with-body  \
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $TOKEN" \
     --json '{
       "jsonrpc": "2.0",
       "id": "1",
       "method": "message/send",
       "params": {
         "message": {
           "kind": "message",
           "messageId": "msg-001",
           "role": "user",
           "parts": [
             {
               "kind": "text",
               "text": "How much is 100 USD in EUR?"
             }
           ]
         }
       }
     }'

Kong Gateway validates the bearer token via Okta’s JWKS endpoint, then proxies the request to the upstream A2A agent. A successful response contains a completed task with the currency conversion result.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

Does OpenID Connect interfere with the AI A2A Proxy plugin?

No. The AI A2A Proxy plugin handles A2A protocol detection, metadata extraction, and observability. The OpenID Connect plugin runs independently in the access phase. Both plugins can be applied to the same Route without conflict.

Can I use a different identity provider instead of Okta?

Yes. The OpenID Connect plugin works with any OIDC-compliant identity provider (Keycloak, Auth0, Azure AD, etc.). Replace the issuer, client_id, and client_secret with values from your provider.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support