Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
github-edit-pageEdit this page
report-issueReport an issue

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an open authentication protocol that lets users sign in to multiple sites using one set of credentials. Using the OIDC Authentication Strategy allows Developers visiting your Dev Portal to authenticate using OIDC.

Prerequisites

  • Set up your application, claims, and scopes in your OpenID identity provider

Be sure to complete Prerequisites for all Auth Strategies

Create OIDC Auth Strategy

If you do not already have an OIDC Auth Strategy created, we will first create an OIDC Auth strategy.

  1. In the Dev Portal menu, navigate to the Application Auth tab. Click New Auth Strategy to create an auth strategy. Refer to the configuration parameters section for more information about each field.

  2. Enter a name to be seen only in Konnect and a display name that will be displayed on your Dev Portal.

  3. In the Auth Type dropdown menu select OpenID-Connect. Enter the Issuer URL for your OIDC tenant.

  4. Enter any scopes your developers may need access to (e.g. openid, profile, email, etc). Note the required scopes may differ depending on your IdP.

  5. Enter the Credential Claims which will match the client ID of the corresponding application in your IdP.

  6. Select the relevant Auth Methods you need (for example: client_credentials, bearer, session).

  7. Click Save

  8. Optional: In Settings/Security, set the preferred Default Auth Strategy to your new OIDC configuration instead of the default key-auth. This setting makes it easier to publish an API (in the next step) using the OIDC Auth Strategy, because this setting will be auto-selected for you. Changing this default will not retroactively change any previously published APIs.

  9. /dev-portal/portals/publishing with the OIDC Auth Strategy you just created.

Now Developers can access the API using OIDC!

OpenID Connect configuration parameters

For more background information about OpenID Connect plugin parameters, see Important Configuration Parameters.

Form Parameter Description Required
Issuer The issuer URL from which the OpenID Connect configuration can be discovered. For example: https://dev-1234567.okta.com/oauth2/default. True
Scopes The scopes to be requested from the OpenID Provider. Enter one or more scopes separated by spaces, for example: open_id myscope1. False
Credential claims Name of the claim that maps to the unique client id in the identity provider. True
Auth method The supported authentication method(s) you want to enable. This field should contain only the authentication methods that you need to use. Individual entries must be separated by commas. Available options: password, client_credentials, authorization_code, bearer, introspection, kong_oauth2, refresh_token, session. True
Hide Credentials Default: disabled
Hide the credential from the upstream service. If enabled, the plugin strips the credential from the request header, query string, or request body, before proxying it.		 False
Auto Approve Default: disabled
Automatically approve developer application requests for an application.		 False