mTLS Proof-of-Possession with certificate in headerv3.15+

Configure the OpenID Connect plugin to validate certificate-bound access tokens in deployments where TLS is terminated before reaching Kong Gateway.

When a WAF or load balancer terminates TLS, it injects the client certificate as an HTTP header. Use proof_of_possession_mtls_from_header to tell the plugin which header to read the certificate from, and set proof_of_possession_mtls: strict to validate that the certificate thumbprint matches the cnf.x5t#S256 claim bound in the access token.

For a complete tutorial, see Configure OIDC with mTLS Proof-of-Possession via header.

Prerequisites

  • An identity provider (IdP) configured with OAuth 2.0 Mutual TLS Certificate Bound Access Tokens

  • A CA certificate added as a CA Certificate entity in Kong Gateway

  • A WAF or L7 proxy that terminates TLS and injects the client certificate as an HTTP header

Environment variables

  • ISSUER: The well-known issuer endpoint of your IdP, for example http://keycloak.test:8080/realms/master.

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to your IdP.

  • CA_CERT_ID: The UUID of the CA Certificate entity in Kong Gateway used to validate the client certificate.

Set up the plugin

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!