We can support all three major IdPs in a single OIDC plugin (configured at the workspace, service, or route scope):
- Keycloak
- WF Auth/SSO Auth
- Monolith Auth
This is done by following this article: Does the openid-connect plugin support token validation for multiple IdPs.
Used this to find the JWKs URLs:
curl --request GET \
--url https://kube-kongtest-admin.service.intradsm1.sdeconsul.csnzoo.com/openid-connect/issuers \
--header 'Kong-Admin-Token: foo'
Unique considerations:
- Requires
client_id
audience_required
is typically blank
Unique considerations:
- Sometimes specifies
scopes_required
Unique considerations:
- Doesn't have its own discovery configuration (
issuer
) so we use the Keycloak one which works well enough - Only works for Partners Home
- Requires sidecar JWT protected service
extra_jwks_uris
ofhttp://127.0.0.1:17000/jwks/jwks.json
- Requires
enable_hs_signatures
to be enabled issuers_allowed
must allow both a realm-specific issuer (e.g.,https://partnerswayfaircom.csnzoo.com/auth/realms/Partner_Home
) and a general issuer (e.g.,https://partnerswayfaircom.csnzoo.com/
)
First, configure the plugin to use Keycloak. Then add on the settings from other IdPs.
IdP | issuers_allowed |
extra_jwks_uris |
Other Config |
---|---|---|---|
Keycloak | https://authwayfairio.csnzoo.com/auth/realms/MY_REALM |
https://authwayfairio.csnzoo.com/auth/realms/MY_REALM/protocol/openid-connect/certs |
set client_id |
WF-Auth / SSO | https://ssoauthwayfaircom.csnzoo.com/ |
https://ssoauthwayfaircom.csnzoo.com/.well-known/openid-configuration/jwks |
|
Monolith | https://partnerswayfaircom.csnzoo.com/auth/realms/Partner_Home AND https://partnerswayfaircom.csnzoo.com/ |
http://127.0.0.1:17000/jwks/jwks.json |
set enable_hs_signatures: true |
There are no conflicts between WF Auth/SSO Auth and Monolith Auth.
Keycloak conflicts because unlike the other two, it does not typically specify an audience_required
(which is the same between the other two).
Workarounds:
- Don't require an audience -- just rely on the issuer
- Identify one or more Keycloak audiences and require the mono/WF auth audience or the Keycloak audience (the included example uses the
account
audience for Keycloak). Sounds likeaccount
will always be there.