Kong Identityv1.0+
Configure the plugin to use a Kong Identity auth server’s introspection endpoint to validate an access token. For a complete tutorial, see Configure the OAuth 2.0 Introspection plugin with Kong Identity.
Environment variables
-
AUTHORIZATION_HEADER_VALUE: The value to set for theAuthorizationheader to access the introspection endpoint. For Kong Identity, it will be a basic auth header with your Base64-encoded client ID and secret:Basic $ENCODED_CREDENTIALS. -
INTROSPECTION_URL: The full URL to the introspection endpoint. For Kong Identity, it will look likehttps://a93xltvowjk8m1qe.us.identity.konghq.com/auth/introspect -
CLAIM_NAME: The name of your claim in the Kong Identity auth server.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "oauth2-introspection",
"config": {
"introspection_url": "'$INTROSPECTION_URL'",
"authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
"consumer_by": "client_id",
"custom_claims_forward": [
"'$CLAIM_NAME'"
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
enabled = true
config = {
introspection_url = var.introspection_url
authorization_value = var.authorization_header_value
consumer_by = "client_id"
custom_claims_forward = [var.claim_name]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "claim_name" {
type = string
}
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "oauth2-introspection",
"config": {
"introspection_url": "'$INTROSPECTION_URL'",
"authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
"consumer_by": "client_id",
"custom_claims_forward": [
"'$CLAIM_NAME'"
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
enabled = true
config = {
introspection_url = var.introspection_url
authorization_value = var.authorization_header_value
consumer_by = "client_id"
custom_claims_forward = [var.claim_name]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "claim_name" {
type = string
}
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "oauth2-introspection",
"config": {
"introspection_url": "'$INTROSPECTION_URL'",
"authorization_value": "'$AUTHORIZATION_HEADER_VALUE'",
"consumer_by": "client_id",
"custom_claims_forward": [
"'$CLAIM_NAME'"
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
enabled = true
config = {
introspection_url = var.introspection_url
authorization_value = var.authorization_header_value
consumer_by = "client_id"
custom_claims_forward = [var.claim_name]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "claim_name" {
type = string
}