In our third Kong and Okta tutorial, we'll go through the introspection flow implementation. This series will show you how to implement service authentication and authorization for [Kong Konnect](https://konghq.com/kong-konnect)Kong Konnect and [Okta](https://www.okta.com)Okta using the [OpenID Connect](https://konghq.com/blog/openid-connect-api-gateway)OpenID Connect ([OIDC](https://docs.konghq.com/hub/kong-inc/openid-connect)OIDC) plugin. Parts 1, 2 and 4 cover:
In this example, I'm using the Konnect control plane to create new APIs and policies and publish them to my data plane running as a Docker container in an AWS EC2 instance.
The introspection flow is part of the token validation process. [Kong Gateway](https://konghq.com/kong)Kong Gateway evaluates the injected token at the request processing time to see if it’s still valid to the upstream services. The evaluation hits a specific Okta endpoint, passing the received token. Based on the response provided by Okta, Kong Gateway accepts or rejects the request.
For production environments, the OIDC plugin provides caching capabilities for the Okta responses. However, for this tutorial, I’m going to disable caching to better view the flow.
Regarding Okta’s settings, I’m going to use the same client credentials application I created before. With the client ID and client secret. However, my OIDC plugin has to be set with specific parameters to implement introspection.
In the Konnect ServiceHub, I have an IntrospectionRoute OIDC plugin enabled.
The settings should be:
To better view the flow, I will use [Insomnia](https://insomnia.rest)Insomnia, Kong’s API spec editor, to send requests to both Okta and Konnect. Below are my two requests.
The first one I’m sending to Okta, passing the expected parameters to get it authenticated and receive a token.
For the second one to consume the route, I’m using a specific Insomnia capability called Request Chaining. With this, I’ll be able to extract values from the response of a given request to build new ones. In my case, I’m pulling the access token from Okta’s response to make the other request and then send it to Konnect.
Next, let’s send a request to Okta to get our token. There it is.
This time, we can see that Kong’s request is ready to be sent since we got Okta’s token injected inside of it.
And here’s the Konnect response:
It's important to note that Konnect is validating the token behind the scenes. Here's one EC2 terminal where my data plane is running. Since I disabled introspection caching for the OIDC plugin, Konnect hits Okta for each request to validate the token.
Another way to see introspection is by deactivating the Okta application. All tokens related to it will be considered invalid and, as a consequence, will not be accepted by Kong again.
Let’s get back to Okta’s application and deactivate it. We should get a 401 error code from Kong.
[Start a free trial](https://konghq.com/kong-konnect)Start a free trial, or [contact us](https://support.konghq.com/support/s/?_ga=2.220853277.461335063.1619442427-852472749.1605808164)contact us if you have any questions as you're getting set up.
Once you've set up Konnect and Okta introspection flow, you may find these other tutorials helpful:
Ensuring secure access to applications and APIs is critical. As organizations increasingly adopt microservices architectures and cloud native solutions, the need for robust, fine-grained access control mechanisms becomes paramount. This is where the
[](https://konghq.com/blog/engineering/secure-access-control-with-opa-and-kong)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-b
[](https://konghq.com/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
With digital transformation shifting networks into the cloud — from remote workforces to online banking — cyberattacks are growing more prevalent and sophisticated. Legacy security models like VPNs and perimeter-based firewalls are proving inadequat
[](https://konghq.com/blog/engineering/microsegmentation-and-zero-trust-security)
With its flexible querying capabilities, GraphQL makes it easy to combine data from multiple sources into a single endpoint. GraphQL and API management go hand in hand to build next-generation API platforms. However, GraphQL's features can als
[](https://konghq.com/blog/engineering/graphql-security-vulnerabilities)
Access tokens In token-based architecture, tokens represent the client’s entitlement to access protected resources. Access tokens (or bearer tokens as they're commonly known) are issued by authorization servers after successful user authentication.
[](https://konghq.com/blog/engineering/mtls-sender-constrained-tokens)When it comes to digital identity, OpenID and OAuth are two peas in a pod, but they have their differences. OpenID connects you to relying parties using a single sign-on, while OAuth grants access tokens so you can give apps limited access. They bo
[](https://konghq.com/blog/engineering/openid-vs-oauth-what-is-the-difference)
If you landed on this blog post, chances are that you care about keeping your API secure. It's an important topic to discuss: API exploits are on the rise, and you don't want unauthorized users accessing your data. A big part of that security is imp
[](https://konghq.com/blog/engineering/api-authentication-vs-api-authorization)