Set Up External Portal Application Authentication with Azure AD and OIDC

    • The configuration option is configured for your OAuth provider and strategy (kong-oauth2 or external-oauth2). See for the Portal Application Registration plugin.

    Create an Application in Azure

    1. Within Azure, go to the App registrations service and register a new application.

    2. In Certificates & secrets, create a Client secret and save it in a secure location. You can only view the secret once.

    3. Under Manifest, update accessTokenAcceptedVersion=2 (default is null). The JSON for your application should look similar to this example:

      Azure Manifest

    Using cURL

    Using HTTPie

    1. $ http PUT :8001/services/httpbin-service-azure \
    2.   url=https://httpbin.org/anything

    Create a Route in Kong

    Using cURL

    Using HTTPie

    1. $ curl -i -X PUT http://<admin-server>:8001/services/httpbin-service-azure/routes/httpbin-route-azure \
    1. $ http -f PUT :8001/services/httpbin-service-azure/routes/httpbin-route-azure \
    2.   paths=/httpbin-azure

    Map the OpenID Connect and Application Registration plugins to the Service. The plugins must be applied to a Service to work properly.

    Using cURL

    Using HTTPie

    1. $ http -f :8001/services/httpbin-service-azure/plugins \
    2.   name=openid-connect \
    3.   config.issuer=https://login.microsoftonline.com/<your_tenant_id>/v2.0 \
    4.   config.display_errors=true \
    5.   config.client_id=<your_client_id> \
    6.   config.client_secret="<your_client_secret>" \
    7.   config.redirect_uri="https://example.com/api" \
    8.   config.consumer_claim=aud \
    10.   config.scopes=<your_client_id>/.default \
    11.   config.verify_parameters=false

    Step 2: Configure the Application Registration plugin for the Service

    Using cURL

    Using HTTPie

    1. $ curl -X POST http://<admin-hostname>:8001/services/httpbin-service-azure/plugins \
    2.   --data "name=application-registration"  \
    3.   --data "config.auto_approve=true" \
    4.   --data "config.description=Uses consumer claim with various values (sub, aud, etc.) as registration id to support different flows and use cases." \
    5.   --data "config.display_name=For Azure" \
    6.   --data "config.show_issuer=true"
    1. $ http -f :8001/services/httpbin-service-azure/plugins \
    2.   name=application-registration \
    3.   config.auto_approve=true \
    4.   config.display_name="For Azure" \
    5.   config.show_issuer=true

    Get an access token using the Client Credential workflow and convert the token into a JSON Web Token (JWT). Replace the placeholder values with your values for <your_tenant_id>, <your_client_id>,<your_client_secret>, and .

    Get an access token from Azure:

    Using cURL

    Using HTTPie

    1. $ https -f POST "https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token" \
    2.   scope=<your_client_id>/.default \
    3.   grant_type=client_credentials \
    4.   -a <your_client_id>:<your_client_secret>

    Step 4: Convert an access token into a JWT token

    1. Paste the access token obtained from the previous step into JWT.

    2. Click Share JWT to copy the value for the claim to your clipboard. You will use the aud value as your Reference ID in the next procedure.

    Create an Application in Kong

    1. Log in to your Dev Portal and create a new application:

      1. Select the My Apps menu -> New Application.
      2. Enter the Name of your Azure application.
      3. Paste the aud value generated in JWT in the Reference ID field.
      4. (Optional) Enter a Description.

      The Create Application form should look similar to this example:

      Create Azure Application

    3. After you create your application, make sure you activate the Service. In the Services section of the Application Dashboard, click Activate on the Service you want to use.

      The view application details page should look similar to this example:

      Because you enabled on the associated Application Registration Plugin, an admin won’t need to approve the request.

    Follow these instructions to test your client credentials or authorization code flows with your Azure AD implementation.

    Step 1: Get a token

    Using cURL

    Using HTTPie

    1. $ curl -i -X POST https://<proxy-hostname>:8443/httpbin-azure/oauth2/v2.0/token \
    2.   --data grant_type="client_credentials" \
    3.   --data client_id=<your_client_id> \
    4.   --data client_secret=<your_client_secret>
    1. $ https -f POST "https://<admin-hostname>:8443/httpbin-azure/oauth2/v2.0/token" \
    2.   scope=<your_client_id>/.default \
    3.   grant_type=client_credentials \
    4.   -a <your_client_id>:<your_client_secret> \
    5.   --verify NO

    Step 2: Use the token in an authorization header to retrieve the data

    Using cURL

    Using HTTPie

      Replace <token_from_above> with the bearer token you generated in the previous step.

      Test Authorization Code Flow

      In your browser, go to .

      You should be guided through a log in process within Azure and then the results delivered in your browser.

      Troubleshoot