OAuth 2.0 client credentials authenticationv3.15+
Authenticate to a Solace broker using OAuth 2.0 client credentials. Kong Gateway fetches and renews access tokens automatically.
Prerequisites
-
Solace installed and running
-
An OAuth 2.0 identity provider that supports the client credentials grant
-
The Solace broker configured to accept OAuth 2.0 tokens
Environment variables
-
SOLACE_HOST: The IPv4 or IPv6 address or hostname of the Solace broker. Use a TLS listener, for exampletcps://127.0.0.1:55443. -
SOLACE_DESTINATION: The name of the Solace queue or topic to publish logs to. -
TOKEN_ENDPOINT_URL: The URL of the OAuth 2.0 token endpoint. -
CLIENT_ID: The OAuth 2.0 client ID. -
CLIENT_SECRET: The OAuth 2.0 client secret.
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: solace-log
config:
session:
host: ${{ env "SOLACE_HOST" }}
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: ${{ env "DECK_TOKEN_ENDPOINT_URL" }}
client_id: ${{ env "DECK_CLIENT_ID" }}
client_secret: ${{ env "DECK_CLIENT_SECRET" }}
eagerly_expire: 5
message:
destinations:
- name: ${{ env "SOLACE_DESTINATION" }}
type: QUEUE
delivery_mode: PERSISTENTMake the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: solace-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
session:
host: SOLACE_HOST
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: '$TOKEN_ENDPOINT_URL'
client_id: '$CLIENT_ID'
client_secret: '$CLIENT_SECRET'
eagerly_expire: 5
message:
destinations:
- name: SOLACE_DESTINATION
type: QUEUE
delivery_mode: PERSISTENT
plugin: solace-log
" | kubectl apply -f -Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_solace_log" "my_solace_log" {
enabled = true
config = {
session = {
host = var.solace_host
vpn_name = "default"
ssl_validate_certificate = true
authentication = {
scheme = "CLIENT_CREDENTIALS"
client_credentials = {
token_endpoint = var.token_endpoint_url
client_id = var.client_id
client_secret = var.client_secret
eagerly_expire = 5
}
}
}
message = {
destinations = [
{
name = var.solace_destination
type = "QUEUE"
} ]
delivery_mode = "PERSISTENT"
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_secret" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: solace-log
service: serviceName|Id
config:
session:
host: ${{ env "SOLACE_HOST" }}
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: ${{ env "DECK_TOKEN_ENDPOINT_URL" }}
client_id: ${{ env "DECK_CLIENT_ID" }}
client_secret: ${{ env "DECK_CLIENT_SECRET" }}
eagerly_expire: 5
message:
destinations:
- name: ${{ env "SOLACE_DESTINATION" }}
type: QUEUE
delivery_mode: PERSISTENTMake sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: solace-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
session:
host: SOLACE_HOST
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: '$TOKEN_ENDPOINT_URL'
client_id: '$CLIENT_ID'
client_secret: '$CLIENT_SECRET'
eagerly_expire: 5
message:
destinations:
- name: SOLACE_DESTINATION
type: QUEUE
delivery_mode: PERSISTENT
plugin: solace-log
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=solace-logPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_solace_log" "my_solace_log" {
enabled = true
config = {
session = {
host = var.solace_host
vpn_name = "default"
ssl_validate_certificate = true
authentication = {
scheme = "CLIENT_CREDENTIALS"
client_credentials = {
token_endpoint = var.token_endpoint_url
client_id = var.client_id
client_secret = var.client_secret
eagerly_expire = 5
}
}
}
message = {
destinations = [
{
name = var.solace_destination
type = "QUEUE"
} ]
delivery_mode = "PERSISTENT"
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_secret" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: solace-log
route: routeName|Id
config:
session:
host: ${{ env "SOLACE_HOST" }}
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: ${{ env "DECK_TOKEN_ENDPOINT_URL" }}
client_id: ${{ env "DECK_CLIENT_ID" }}
client_secret: ${{ env "DECK_CLIENT_SECRET" }}
eagerly_expire: 5
message:
destinations:
- name: ${{ env "SOLACE_DESTINATION" }}
type: QUEUE
delivery_mode: PERSISTENTMake sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "solace-log",
"config": {
"session": {
"host": "SOLACE_HOST",
"vpn_name": "default",
"ssl_validate_certificate": true,
"authentication": {
"scheme": "CLIENT_CREDENTIALS",
"client_credentials": {
"token_endpoint": "'$TOKEN_ENDPOINT_URL'",
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"eagerly_expire": 5
}
}
},
"message": {
"destinations": [
{
"name": "SOLACE_DESTINATION",
"type": "QUEUE"
}
],
"delivery_mode": "PERSISTENT"
}
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: solace-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
session:
host: SOLACE_HOST
vpn_name: default
ssl_validate_certificate: true
authentication:
scheme: CLIENT_CREDENTIALS
client_credentials:
token_endpoint: '$TOKEN_ENDPOINT_URL'
client_id: '$CLIENT_ID'
client_secret: '$CLIENT_SECRET'
eagerly_expire: 5
message:
destinations:
- name: SOLACE_DESTINATION
type: QUEUE
delivery_mode: PERSISTENT
plugin: solace-log
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=solace-logkubectl annotate -n kong ingress konghq.com/plugins=solace-logPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_solace_log" "my_solace_log" {
enabled = true
config = {
session = {
host = var.solace_host
vpn_name = "default"
ssl_validate_certificate = true
authentication = {
scheme = "CLIENT_CREDENTIALS"
client_credentials = {
token_endpoint = var.token_endpoint_url
client_id = var.client_id
client_secret = var.client_secret
eagerly_expire = 5
}
}
}
message = {
destinations = [
{
name = var.solace_destination
type = "QUEUE"
} ]
delivery_mode = "PERSISTENT"
}
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_secret" {
type = string
}