Enable OIDC for Kong Manager

Kong Gateway offers the ability to bind authentication for Kong Manager admins to an organization’s OpenID Connect Identity Provider using the OpenID Connect Plugin.

Note: By using the configuration below, it is unnecessary to manually enable the plugin. The configuration alone will enable OIDC for Kong Manager.

Set up RBAC with OIDC

The following is an example using Google as the IdP and serving Kong Manager from its default URL, http://127.0.0.1:8002.

The admin_gui_auth_config value must be valid JSON. The following is an example of the configuration:

  1. enforce_rbac = on
  2. admin_gui_auth=openid-connect
  3. admin_gui_session_conf = { "secret":"set-your-string-here" }
  4. admin_gui_auth_conf={ \
  5. "issuer": "https://accounts.google.com/", \
  6. "client_id": ["<ENTER_YOUR_CLIENT_ID>"], \
  7. "client_secret": ["<ENTER_YOUR_CLIENT_SECRET_HERE>"], \
  8. "admin_claim": ["email"], \
  9. "redirect_uri": ["http://localhost:8002/default"], \
  10. }

While authenticating Kong Manager with OpenID Connect, make sure that your IdP supports the authorization_code grant type and is enabled for the associated client.

The following are configuration parameters in admin_gui_auth_conf for openid-connect:

parameterdata typedefault valuenotes
issuer
required
String“input issuer”A string representing a URL
client_id
required
Array[“input client id”]The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
client_secret
required
Array[“input client secret”]The client secret.
redirect_uri
required
Array[“input http://ip:8002/default”]The redirect URI passed to the authorization and token endpoints.
authenticated_groups_claim
required
Array[“groups”]The claim that contains authenticated groups.
admin_claim
required
Array[“email”]Retrieve the field as a username.
admin_auto_create
optional
BooleantrueThis parameter is used to enable the automatic creation of administrators.
ssl_verify
optional
BooleanfalseVerify identity provider server certificate.

The Sessions plugin (configured with admin_gui_session_conf) requires a secret and is configured securely by default.

  • Under all circumstances, the secret must be manually set to a string.
  • If using HTTP instead of HTTPS, cookie_secure must be manually set to false.
  • If using different domains for the Admin API and Kong Manager, cookie_same_site must be set to Lax.

Learn more about these properties in Session Security in Kong Manager, and see example configurations.

Replace the entries surrounded by <> with values that are valid for your IdP. For example, Google credentials can be found here: https://console.cloud.google.com/projectselector/apis/credentials

Create an admin

Create an admin that has a username matching the email returned from the identity provider upon successful login:

  1. curl -i -X POST http://localhost:8001/admins \
  2. --data username="<admin_email>" \
  3. --data email="<admin_email>" \
  4. --header Kong-Admin-Token:<RBAC_TOKEN>

For example, if a user has the email address example_user@example.com:

  1. curl -i -X POST http://localhost:8001/admins \
  2. --data username="example_user@example_com" \
  3. --data email="example_user@example.com" \
  4. --header Kong-Admin-Token:<RBAC_TOKEN>

Note: The email entered for the admin in the request is used to ensure the admin receives an email invitation, whereas username is the attribute that the plugin uses with the IdP.

Assign a role to the admin

Assign the new admin at least one role so they can log in and access Kong entities:

  1. curl -i -X POST http://localhost:8001/admins/<admin_email>/roles \
  2. --data roles="<role-name>" \
  3. --header Kong-Admin-Token:<RBAC_TOKEN>

For example, to grant example_user@example.com the role of super admin:

  1. curl -i -X POST http://localhost:8001/admins/example_user@example.com/roles \
  2. --data roles="super-admin" \
  3. --header Kong-Admin-Token:<RBAC_TOKEN>