OAuth 2.0 Introspection: Kong Identity - Plugin

Kong Identity

Configure the plugin to use a Kong Identity auth server’s introspection endpoint to validate an access token. For a complete tutorial, see Configure the OAuth 2.0 Introspection plugin with Kong Identity.

Environment variables

AUTHORIZATION_HEADER_VALUE: The value to set for the Authorization header to access the introspection endpoint. For Kong Identity, it will be a basic auth header with your Base64-encoded client ID and secret: Basic $ENCODED_CREDENTIALS.
INTROSPECTION_URL: The full URL to the introspection endpoint. For Kong Identity, it will look like https://a93xltvowjk8m1qe.us.identity.konghq.com/auth/introspect
CLAIM_NAME: The name of your claim in the Kong Identity auth server.

Set up the plugin

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "oauth2-introspection",
      "config": {
        "introspection_url": "'$INTROSPECTION_URL'",
        "authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
        "consumer_by": "client_id",
        "custom_claims_forward": [
          "'$CLAIM_NAME'"
        ]
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = var.introspection_url
    authorization_value = var.authorization_header_value
    consumer_by = "client_id"
    custom_claims_forward = [var.claim_name]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "claim_name" {
  type = string
}

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "oauth2-introspection",
      "config": {
        "introspection_url": "'$INTROSPECTION_URL'",
        "authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
        "consumer_by": "client_id",
        "custom_claims_forward": [
          "'$CLAIM_NAME'"
        ]
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = var.introspection_url
    authorization_value = var.authorization_header_value
    consumer_by = "client_id"
    custom_claims_forward = [var.claim_name]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "claim_name" {
  type = string
}

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "oauth2-introspection",
      "config": {
        "introspection_url": "'$INTROSPECTION_URL'",
        "authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
        "consumer_by": "client_id",
        "custom_claims_forward": [
          "'$CLAIM_NAME'"
        ]
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = var.introspection_url
    authorization_value = var.authorization_header_value
    consumer_by = "client_id"
    custom_claims_forward = [var.claim_name]
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "claim_name" {
  type = string
}

OAuth 2.0 Introspection

Kong Identity

Environment variables

Set up the plugin

Help us make these docs great!

Still need help