A plugin to demonstrate how to implement the Phantom Token Pattern via LUA.
This enables a secure API solution when integrating with the Kong API Gateway.
If you are using luarocks, execute the following command to install the plugin:
luarocks install kong-phantom-tokenOr deploy the .lua files into Kong's plugin directory, eg /usr/local/share/lua/5.1/kong/plugins/phantom-token
For each API route, configure the plugin using the following configuration.
Also add the plugin to the KONG_PLUGINS environment variable, by setting it to bundled,phantom-token.
- name: myapi
url: https://api-internal.example.com:3000
routes:
- name: myapi-route
paths:
- /api
plugins:
- name: phantom-token
config:
introspection_endpoint: $INTROSPECTION_ENDPOINT
client_id: api-gateway-client
client_secret: Password1
token_cache_seconds: 900
trusted_web_origins:
- http://$WEB_DOMAIN| Parameter | Required? | Details |
|---|---|---|
| introspection_endpoint | Yes | The path to the Curity Identity Server's introspection endpoint |
| client_id | Yes | The ID of the introspection client configured in the Curity Identity Server |
| client_secret | Yes | The secret of the introspection client configured in the Curity Identity Server |
| scope | No | One or more scopes can be required for the location, such as read write |
| token_prefix | No | Only tokens starting with the given prefix will trigger introspection |
| trusted_web_origins | No | For browser clients, trusted origins can be configured, so that plugin error responses are readable by Javascript code running in browsers |
| verify_ssl | No | An override that can be set to false if using untrusted server certificates in the Curity Identity Server. Alternatively you can specify trusted CA certificates via the lua_ssl_trusted_certificate directive. See lua_resty_http for further details. |
This repository is documented in the Kong Open Source API Gateway Integration article on the Curity Web Site.
Please visit curity.io for more information about the Curity Identity Server.