mTLS Proof-of-Possession with certificate in headerv3.15+
Configure the OpenID Connect plugin to validate certificate-bound access tokens in deployments where TLS is terminated before reaching Kong Gateway.
When a WAF or load balancer terminates TLS, it injects the client certificate as an HTTP header.
Use proof_of_possession_mtls_from_header to tell the plugin which header to read the certificate from, and set proof_of_possession_mtls: strict to validate that the certificate thumbprint matches the cnf.x5t#S256 claim bound in the access token.
For a complete tutorial, see Configure OIDC with mTLS Proof-of-Possession via header.
Prerequisites
-
An identity provider (IdP) configured with OAuth 2.0 Mutual TLS Certificate Bound Access Tokens
-
A CA certificate added as a CA Certificate entity in Kong Gateway
-
A WAF or L7 proxy that terminates TLS and injects the client certificate as an HTTP header
Environment variables
-
ISSUER: The well-known issuer endpoint of your IdP, for examplehttp://keycloak.test:8080/realms/master. -
CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. -
CLIENT_SECRET: The client secret needed to connect to your IdP. -
CA_CERT_ID: The UUID of the CA Certificate entity in Kong Gateway used to validate the client certificate.
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- ${{ env "DECK_CA_CERT_ID" }}
ssl_verify: trueMake the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- '$CA_CERT_ID'
ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
auth_methods = ["bearer"]
proof_of_possession_mtls = "strict"
proof_of_possession_auth_methods_validation = true
proof_of_possession_mtls_from_header = {
certificate_header_name = "x-client-cert"
certificate_header_format = "base64_encoded"
ca_certificates = [var.ca_cert_id]
ssl_verify = true
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "ca_cert_id" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
service: serviceName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- ${{ env "DECK_CA_CERT_ID" }}
ssl_verify: trueMake sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- '$CA_CERT_ID'
ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=openid-connectPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
auth_methods = ["bearer"]
proof_of_possession_mtls = "strict"
proof_of_possession_auth_methods_validation = true
proof_of_possession_mtls_from_header = {
certificate_header_name = "x-client-cert"
certificate_header_format = "base64_encoded"
ca_certificates = [var.ca_cert_id]
ssl_verify = true
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "ca_cert_id" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: openid-connect
route: routeName|Id
config:
issuer: ${{ env "DECK_ISSUER" }}
client_id:
- ${{ env "DECK_CLIENT_ID" }}
client_secret:
- ${{ env "DECK_CLIENT_SECRET" }}
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- ${{ env "DECK_CA_CERT_ID" }}
ssl_verify: trueMake sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "openid-connect",
"config": {
"issuer": "'$ISSUER'",
"client_id": [
"'$CLIENT_ID'"
],
"client_secret": [
"'$CLIENT_SECRET'"
],
"auth_methods": [
"bearer"
],
"proof_of_possession_mtls": "strict",
"proof_of_possession_auth_methods_validation": true,
"proof_of_possession_mtls_from_header": {
"certificate_header_name": "x-client-cert",
"certificate_header_format": "base64_encoded",
"ca_certificates": [
"'$CA_CERT_ID'"
],
"ssl_verify": true
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: openid-connect
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
issuer: '$ISSUER'
client_id:
- '$CLIENT_ID'
client_secret:
- '$CLIENT_SECRET'
auth_methods:
- bearer
proof_of_possession_mtls: strict
proof_of_possession_auth_methods_validation: true
proof_of_possession_mtls_from_header:
certificate_header_name: x-client-cert
certificate_header_format: base64_encoded
ca_certificates:
- '$CA_CERT_ID'
ssl_verify: true
plugin: openid-connect
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=openid-connectkubectl annotate -n kong ingress konghq.com/plugins=openid-connectPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
enabled = true
config = {
issuer = var.issuer
client_id = [var.client_id]
client_secret = [var.client_secret]
auth_methods = ["bearer"]
proof_of_possession_mtls = "strict"
proof_of_possession_auth_methods_validation = true
proof_of_possession_mtls_from_header = {
certificate_header_name = "x-client-cert"
certificate_header_format = "base64_encoded"
ca_certificates = [var.ca_cert_id]
ssl_verify = true
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "ca_cert_id" {
type = string
}