Third-party OAuth2 Support for Application Registration

    The Kong and Portal Application Registration plugins are used in conjunction with each other on a Service:

    • The OIDC plugin handles all aspects of the OAuth2 handshake, including looking up the Consumer via (the custom_id matches the identity provider client_id claim).

    • The Application Registration plugin is responsible for checking the mapped Consumer and ensuring the Consumer has the correct ACL (Access Control List) permissions to access the Route.

    The Kong OIDC plugin supports many identity providers out of the box. The following providers have been tested for the current version of the Kong Portal Application Registration plugin used in tandem with the Kong OIDC plugin:

    How you authenticate with a Service depends on its underlying OAuth2 implementation. For more information, reference the documentation below for your implemented identity provider and OAuth flow.

    Supported OAuth flows

    Password Grant and are available but not recommended because they are less secure than the Authorization Code and Client Credentials flows.

    In this flow, a developer makes a request against the Service with the OIDC and Application Registration plugins applied. This request should contain the and client_secret as a Basic Auth authentication header:

    Authorization: Basic client_id:client_secret

    The client_id:client_secret should be base64-encoded.

    The following sequence diagram illustrates the Client Credentials flow through the OIDC and Application Registration plugins. Click on the image to expand its view.

    Due to limitations of the OIDC plugin, a single plugin instance cannot handle dynamic client_id's provisioned from multiple sources (applications). To circumvent this issue, the IdP Issuer URL is exposed to developers on the Dev Portal application show page when show_issuer is enabled in the Application Registration plugin. Developers can hit the Issuer URL directly to provision an access token. After getting the access token, requests can be made against the proxy.

    2. After the initial access token handshake has been completed, make subsequent requests to the Kong service using that access token as a . After the first successful request, the OIDC plugin will establish a session with the client so that the access token does not need to be continually passed with every request.

    The following sequence diagram illustrates the Authorization Code flow through the OIDC and Application Registration plugins. Click on the image to expand its view.

    Authorization Code Flow

    StepExplanation
    aA developer copies the target Service’s , which can be exposed in the Dev Portal application view Service Details page. Developers can configure their application to make a request to this endpoint to authenticate the user and retrieve an access token.
    bOkta redirects the user to a login page.
    cThe user inputs their Single Sign-On (SSO) information.
    dThe user submits the SSO form that contains their Okta username and password.
    eUpon a successful login, the application is given an access token to make against calls for all subsequent requests.
    fThe user makes a request to the protected Service and Route.
    gThe OIDC plugin takes the access token and runs introspection, consulting the Okta authorization server if necessary. After the access token has been verified, the plugin matches the custom claim to find the associated application Consumer via its custom_id.
    hThe request is passed to the Application Registration plugin, which checks to make sure the Consumer has the appropriate ACL (Access Control List) permissions.
    iThe request is proxied to the Upstream.

    The Implicit Grant flow is not recommended if the Authorization Code flow is possible.

    1. Set up the application to secure an access token against the IdP directly. For more information about implementing the Implicit Grant flow with Okta, refer to the .