Home / Kong Operator / Konnect / Get Started
Edit
Report

Configure portal sign-in with OIDC

Uses: Kong Operator
Incompatible with
on-prem
Related Documentation
Operator Documentation
In This Series
  1. Install Kong Operator for Dev Portal
  2. Create a Dev Portal and publish content
  3. Configure portal settings
  4. Configure portal sign-in with OIDC
Related Resources
Dev Portal SSO
Application authentication strategies
Enable self-managed OIDC auth with Okta in Dev Portal
Minimum Version
Kong Operator - 2.2
TL;DR

Create a PortalIdentityProviderRequest that references your Portal and supplies your OIDC issuer, client ID, and client secret.

Prerequisites

Series Prerequisites

This page is part of the Get started with Kong Operator and Dev Portal CRDs series.

Complete the previous page, Configure portal settings before completing this page.

OIDC provider

This guide requires and OIDC provider. In this example, we’ll use Okta, but the steps are similar in any standard OIDC provider. See Microsoft Entra ID, or run Keycloak locally and expose it with a tunnel.

You need an Okta admin account with a developer organization. If you prefer a different provider,

  1. In the Okta admin console, go to Applications > Applications and click Create App Integration.
  2. Select OIDC - OpenID Connect and click Next.
  3. Select Web Application and click Next.
  4. In the App integration name field, enter a name such as Dev Portal.
  5. Under Grant type, make sure Authorization Code is checked.
  6. Under Sign-in redirect URIs, add your Dev Portal callback URL. Use the hostname you configured for your portal, for example: https://portal.example.dev/callback.
  7. Click Save.
  8. From the app’s General tab, copy the Client ID and Client Secret.
  9. Go to Security > API > Authorization Servers and copy the Issuer URI of the default server, for example, https://your-org.okta.com/oauth2/default.

  10. Export the following environment variables:

    export OIDC_ISSUER_URL='YOUR_OKTA_ISSUER_URL'
export OIDC_CLIENT_ID='YOUR_CLIENT_ID'
export OIDC_CLIENT_SECRET='YOUR_CLIENT_SECRET'

Create the PortalIdentityProviderRequest

The PortalIdentityProviderRequest configures the OIDC sign-in provider for the portal. Once applied, developers who visit the portal can sign in using your identity provider instead of a local account.

Create the PortalIdentityProviderRequest resource:

echo '
apiVersion: konnect.konghq.com/v1alpha1
kind: PortalIdentityProviderRequest
metadata:
  name: operator-dev-portal-oidc
  namespace: kong
spec:
  portalRef:
    type: namespacedRef
    namespacedRef:
      name: operator-dev-portal
  apiSpec:
    type: oidc
    config:
      type: oIDC
      oIDC:
        clientID: '"$OIDC_CLIENT_ID"'
        clientSecret: '"$OIDC_CLIENT_SECRET"'
        issuerURL: '"$OIDC_ISSUER_URL"'
        scopes:
          - openid
          - profile
          - email
' | kubectl apply -f -

Validation

Check that the resource is ready:

kubectl wait portalidentityproviderrequest/operator-dev-portal-oidc -n kong \
  --for=condition=Programmed=True \
  --timeout=10m
← Previous 3. Configure portal settings
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support