Utmost Protection with OpenId Authentication 🔒

OpenID Vs OAuth

     +--------+                               +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+

Grant Types

Kong OIDC Plugin

Enhanced OpenId flow provided by the Kong OIDC Plugin
curl https://{{hostname}}/api/service-endpoint/resource1 \
-H’Authorization: Basic {base 64 encoded {client id:secret}}’
Request flow for Kong OIDC plugin with client_secret_jwt authentication
  1. Configure a simple proxy pass in Kong to redirect the authentication request for access token generation to the SSO server.
kong proxy pass to sso server

How to generate the token

{
“jti”: “{unique id}”,
“sub”: “{client-id}”,
“iss”: “{client-id}”,
“aud”: “{Audience URL}”,
“exp”: {expire time in epoch scale for the ID Token}
}
JWT token generation

Sample Requests to Generate a Token

curl -XPOST ‘https://{{hostname}}/api/service/token' \
-H’Content-Type: application/x-www-form-urlencoded’ \
— data-urlencode ‘grant_type=client_credentials’ \
— data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’ \
— data-urlencode ‘client_assertion={{client_secret_JWT_token}}’
curl -XPOST ‘https://{{hostname}}/api/service/token' \
-H ‘Content-Type: application/x-www-form-urlencoded’ \
— data-urlencode ‘grant_type=refresh_token’ \
— data-urlencode ‘refresh_token={{refresh_token}}’ \
— data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’ \
— data-urlencode ‘client_assertion={{client_secret_JWT_token}}’
{
“access_token”: “ImtvbmctdGVzdC11c2VyIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta29uZy10ZXN0LXVzZXIiLCJjbGllbnRBZGRyZXNzIjoiMTcyZDy7iQKAD9b3IlZ8EKfo0Kc9gS7rpuh00qBzNafUGFeVwSpNe”,
“expires_in”: 14400,
“refresh_expires_in”: 86400,
“refresh_token”: “eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZDRkMDhiNi04MGY2LTQ1ZWMtODILXRlc3QtdXNlciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0”,
“token_type”: “bearer”,
“not-before-policy”: 0,
“session_state”: “d0090d58–4fd0–4b59-b0c1-fe37c098b5f7”,
“scope”: “profile email”
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Danuka Praneeth

Danuka Praneeth

Senior Software Engineer | BSc (Hons) Engineering | CIMA | Autodidact | Knowledge-Seeker