Set Up External Portal Application Authentication with Okta and OIDC
These instructions help you set up Okta as your third-party identity provider for use with the Kong OIDC and Portal Application Registration plugins.
Define an authorization server and create a custom claim in Okta
Follow these steps to set up an authorization server in Okta for all authorization types.
- Sign in to the Developer Okta site.
Click API > Authorization Servers.
Notice that you already have an authorization server set up named
default
. This example uses the default auth server. You can also create as many custom authorization servers as necessary to fulfill your requirements. For more information, refer to the Okta developer documentation.Click default to view the details for the default auth server. Take note of the
Issuer
URL, which you will use to associate Kong with your authorization server.Click the Claims tab.
Click Add Claim. Add a custom claim called
application_id
that will attach any successfully authenticated application’sid
to the access token.- Enter
application_id
in the Name field. - Ensure the
Include in token type
selection is Access Token. - Enter
app.clientId
in the Value field. - Click Create.
Now that you have created a custom claim, you can associate the
client_id
with a Service via the Application Registration plugin. Start by creating a Service in Kong Manager.- Enter
Create a Service and a Route and instantiate an OIDC plugin on that Service. You can allow most options to use their defaults.
In the
Config.Issuer
field, enter the Issuer URL of the Authorization server from your identity provider.In the
Config.Consumer Claim
field, enter your<application_id>
.
Tip: Because Okta’s discovery document does not include all supported auth types by default, ensure the
config.verify_parameters
option is disabled.The core configuration should be:
{
"issuer": "<auth_server_issuer_url>",
"verify_credentials": false,
"consumer_claim": "<application_id>",
}
Configure a Portal Application Registration plugin on the Service as well. See Application Registration.
Register an application in Okta
Follow these steps to register an application in Okta and associate the Okta application with an application in the Kong Dev Portal.
- Sign in to the Developer Okta site.
- Click Applications > + Add Application.
Depending on which authentication flow you want to implement, the setup of your Okta application will vary:
- Client Credentials: Select
Machine-to-Machine
when prompted for an application type.
You will need your
client_id
andclient_secret
later on when you authenticate with the proxy.Implicit Grant: Select
Single-Page App
,Native
, orWeb
when prompted for an application type. Make sureImplicit
is selected forAllowed grant types
. Enter theLogin redirect URIs
,Logout redirect URIs
, andInitiate login URI
fields with the correct values, depending on your application’s routing. The Implicit Grant flow is not recommended if the Authorization Code flow is possible.Authorization Code: Select
Single-Page App
,Native
, orWeb
when prompted for an application type. Make sureAuthorization Code
is selected forAllowed grant types
. Enter theLogin redirect URIs
,Logout redirect URIs
, andInitiate login URI
fields with the correct values, depending on your application’s routing.
- Client Credentials: Select
Associate the identity provider application with your Kong application
Now that the application has been configured in Okta, you need to associate the Okta application with the corresponding application in Kong’s Dev Portal.
Note: Each developer should have their own application in both Okta and Kong. Each Okta application has its own `client_id` that maps to its respective application in Kong. Essentially, this maps identity provider applications to portal applications.
This example assumes Client Credentials is the chosen OAuth flow.
- In the Kong Dev Portal, create an account if you haven’t already.
- After you’ve logged in, click
My Apps
. - On the Applications page, click
+ New Application
. Complete the Name and Description fields. Paste the
client_id
of your corresponding Okta (or other identity provider) application into the Reference Id field.
Now that the application has been created, developers can authenticate with the endpoint using the supported and recommended third-party OAuth flows.