Skip to content

Latest commit

 

History

History
66 lines (52 loc) · 2.02 KB

README.md

File metadata and controls

66 lines (52 loc) · 2.02 KB

Kong Okta Auth Plugin

Build Status

Kong Plugin to validate OAuth 2.0 access tokens against an OKTA Authorization Server. The validation is made using OKTA's introspection endpoint.

When enabled, this plugin will validate the token and add new headers to requests based on the data in the provided JWT token. The generated headers follow the naming convention of OKTA-<field-name>.

The headers OKTA-Group, OKTA-Scope and OKTA-Username will be included with requests to APIs.

Example

JWT payload:

{
  "ver": 1,
  "iss": "https://okta.com/oauth2/auth-server-id",
  "aud": "https://api.com",
  "iat": 1507122921,
  "exp": 1508203412,
  "cid": "cid",
  "uid": "uid",
  "scp": [
    "read",
    "write"
  ],
  "sub": "[email protected]",
  "group": [
    "Everyone"
  ]
}

Headers included with request:

OKTA-Group: "Everyone"
OKTA-Scope: "read write"
OKTA-Username : "[email protected]"

Enabling Plugin

You can enable Okta-Auth plugin for an api with the following request:

curl -X POST http://localhost:8001/apis/example-api/plugins \
  --data "name=okta-auth" \
  --data "config.authorization_server=https://okta.com/oauth2/auth-server-id" \
  --data "config.client_id=cid" \
  --data "config.client_secret=secret" \
  --data "config.api_version=v1" \
  --data "config.check_auth_server=true"

Parameters description:

form parameter required description
name required Plugin name: okta-auth
authorization_server required Okta authorization server URL
client_id required Okta's public identifier for the client
client_secret required Okta's client secret
api_version optional Okta's authorization server API version (default: v1)
check_auth_server optional If true check authorization server availability (default: true)