This project is utilizing other open source projects to provide its functionality. Specifically nokia's kong oidc plugin Which adds the functionality of OpenID Connect Relaying party to Kong.
The X-Userinfo header from the kong-oidc plugin contains the payload from the Userinfo Endpoint.
X-Userinfo: {"preferred_username":"alice",
"email": "alice@wonderland.com","id":"60f65308-3510-40ca-83f0-e9c0151cc680","sub":"60f65308-3510-40ca-83f0-e9c0151cc680"}
Ensure that email is one of the scopes configured on the kong-oidc plugin as this is the default lookup for this plugin.
The plugin will then lookup the consumer based on a field within the X-Userinfo header (it is a configuration option with the default being email) to match a consumer's username. If the consumer doesn't exist it will create this consumer within kong (based on a flag).
The plugin then sets the ngx.ctx.authenticated_consumer variable, as well as the consumer headers and continues to the next plugin in pipe.
ngx.ctx.authenticated_consumer = {{matched_consumer_found_or_created}}
kong-oidc depends on the following package:
-- TODO push to LUA rocks --
If you're using luarocks execute the following:
luarocks install kong-oidc-consumer
Copy the oidc-consumer folder from the /kong/plugins/ folder to your lua path.
You also need to set the KONG_PLUGINS environment variable to contain the oidc-consumer plugin
export KONG_PLUGINS=oidc,oidc-consumer
| Parameter | Default | Required | description |
|---|---|---|---|
name |
true | plugin name, has to be oidc-consumer |
|
config.username_field |
"email" | true | userInfo field that stores the username to be matched or created as a consumer |
config.create_consumer |
false | true | boolean which if true creates consumer if not found with the username being the username from the field above on the userInfo |
Please first enable and configure the kong-oidc plugin.
- oidc-consumer v0.0.1 -> kong 0.14.x
- TODO
- Add Testing
- Update ReadMe with curl commands to configure plugin
- Get a continuos test environment
Please see the /scrips folder which has a couple bash scripts than can help testing out the plugin. Assuming that you have docker locally installed.
build.sh: To build the a docker image of of kong (called oidc-kong) which includes the kong-oidc plugin installed.install.sh: Used to run docker for postgres and the kong built bybuild.shand add the oidc plugin and oidc-consumer plugin available for kong. It also has konga as an option to manage the kong instance created. It is linked to the running kong using hostnamekong.
Run them with
$ sh ./scripts/build.sh
$ sh ./scripts/install.sh
This would require to manually setup the endpoint and plugins using a UI like konga or curl/http commands from the console.
I utilize auth0 as my OIDP, which is why the docker image name is called kong-auth0.