Set Up External Portal Application Authentication with Okta and OIDC

    Follow these steps to set up an authorization server in Okta for all authorization types.

    1. Sign in to the .

    2. Click API > Authorization Servers.

      Notice that you already have an authorization server set up named . This example uses the default auth server. You can also create as many custom authorization servers as necessary to fulfill your requirements. For more information, refer to the Okta developer documentation.

    3. Click default to view the details for the default auth server. Take note of the Issuer URL, which you will use to associate Kong with your authorization server.

      Okta Issuer URL

    4. Click the Claims tab.

    5. Click Add Claim. Add a custom claim called application_id that will attach any successfully authenticated application’s id to the access token.

      1. Ensure the Include in token type selection is Access Token.
      2. Enter app.clientId in the Value field.
      3. Click Create.

      Okta Claim

    6. Create a Service and a Route and instantiate an OIDC plugin on that Service. You can allow most options to use their defaults.

      1. In the Config.Issuer field, enter the Issuer URL of the Authorization server from your identity provider.

      2. In the Config.Consumer Claim field, enter your <application_id>.

      Tip: Because Okta’s discovery document does not include all supported auth types by default, ensure the option is disabled.

      Clear Config Verify Parameters for OIDC with Okta

      The core configuration should be:

    7. Configure a Portal Application Registration plugin on the Service as well. See .

    Follow these steps to register an application in Okta and associate the Okta application with an application in the Kong Dev Portal.

    1. Sign in to the Developer Okta site.

    2. Depending on which authentication flow you want to implement, the setup of your Okta application will vary:

      • Client Credentials: Select Machine-to-Machine when prompted for an application type.

      You will need your client_id and client_secret later on when you .

      • Implicit Grant: Select Single-Page App, Native, or Web when prompted for an application type. Make sure Implicit is selected for Allowed grant types. Enter the Login redirect URIs, Logout redirect URIs, and fields with the correct values, depending on your application’s routing. The Implicit Grant flow is not recommended if the Authorization Code flow is possible.

      • Authorization Code: Select Single-Page App, Native, or Web when prompted for an application type. Make sure Authorization Code is selected for Allowed grant types. Enter the Login redirect URIs, Logout redirect URIs, and Initiate login URI fields with the correct values, depending on your application’s routing.

    Now that the application has been configured in Okta, you need to associate the Okta application with the corresponding application in Kong’s Dev Portal.

    Note: Each developer should have their own application in both Okta and Kong. Each Okta application has its own `client_id` that maps to its respective application in Kong. Essentially, this maps identity provider applications to portal applications.

    This example assumes Client Credentials is the chosen OAuth flow.

    1. In the Kong Dev Portal, create an account if you haven’t already.
    2. After you’ve logged in, click My Apps.
    3. On the Applications page, click + New Application.

    4. Complete the Name and Description fields. Paste the of your corresponding Okta (or other identity provider) application into the Reference Id field.

      Kong Create Application with Reference Id

    Now that the application has been created, developers can authenticate with the endpoint using the supported and recommended third-party OAuth flows.