OpenID Connect with Auth0

This configuration will use a as it is non-interactive, and because we expect clients to authenticate on behalf of themselves, not an end-user. To do so, you will need to create an Auth0 API and a .

When creating your API, you will need to specify an Identifier. Using the URL that your consumer makes requests to is generally appropriate, so this will typically be the hostname/path combination configured as an API in Kong.

Client Configuration

You will need to authorize your client to access your API. Auth0 will prompt you to do so after client creation if you select the API you created previously from the client’s Quick Start menu. After toggling the client to Authorized, expand its authorization settings and enable the scope.

If you have not done so already, to protect. The url configuration should match the Identifier you used when configuring Auth0.

The service accessing your resource will need to pass its credentials to Kong. It can do so via HTTP basic authentication, query string arguments, or parameters in the request body. Basic authentication is generally preferable, as credentials in a query string will be present in Kong’s access logs (and possibly in other infrastructure’s access logs, if you have HTTP-aware infrastructure in front of Kong) and credentials in request bodies are limited to request methods that expect client payloads.

For basic authentication, use your client ID as the username and your client secret as the password. For the other methods, pass them as parameters named and client_secret, respectively.