The WISdoM project utilizes the Kong API Gateway to route requests to their services. To allow the authentication of users accessing the gateway, usually a plugin directly from Kong Inc. would be used. However, the plugin that would be used to authenticate users is only available if a paid subscription is used for the Kong API Gateway. Furthermore, it does not support all of the features, we need for this project.
The plugin is automatically installed to the API gateway, if the WISdoM project is deployed to your host.
If you want to use the plugin outside of the WISdoM project you need to install
the plugin using luarocks
and define it in the configuration of your Kong API
Gateway.
The plugin takes a request and uses the plugins configuration to get the url
to the discovery endpoint of your OpenID Connect-compliant identity provider.
It then takes the url and requests the output of the discovery endpoint from
which the plugin then extracts the userinfo
endpoint url.
If the endpoint url has been extracted, the plugin will then use the bearer
token from the incoming request and tries to get the users information.
The users information then is used, to get the username of the user sending the
request, as well the groups they are a member of. These values are then put
into the requests headers as X-WISdoM-User
and X-WISdoM-Groups
and the
request continues downstream.
If you want to change the header keys, you should fork this repository and change them in accordance to the MIT License this plugin is released under.