Kong and Okta Introspection Flow

By on June 10, 2021

Implementing Introspection Flow With Kong and Okta


← Back to Blog Home

In our third Kong and Okta tutorial, we’ll go through the introspection flow implementation. This series will show you how to implement service authentication and authorization for Kong Konnect and Okta using the OpenID Connect (OIDC) plugin. Parts 1, 2 and 4 cover:

 

Konnect and Okta Integration Topology

In this example, I’m using the Konnect control plane to create new APIs and policies and publish them to my data plane running as a Docker container in an AWS EC2 instance.

Kong Konnect and Okta Integration Topology

Introspection Flow

The introspection flow is part of the token validation process. Kong Gateway evaluates the injected token at the request processing time to see if it’s still valid to the upstream services. The evaluation hits a specific Okta endpoint, passing the received token. Based on the response provided by Okta, Kong Gateway accepts or rejects the request.

Okta and Kong Konnect Introspection Flow

For production environments, the OIDC plugin provides caching capabilities for the Okta responses. However, for this tutorial, I’m going to disable caching to better view the flow. 

Set Up the Okta Application

Regarding Okta’s settings, I’m going to use the same client credentials application I created before. With the client ID and client secret. However, my OIDC plugin has to be set with specific parameters to implement introspection.

Okta and Kong Introspection Flow App Settings

Apply the OpenID Connect Plugin

In the Konnect ServiceHub, I have an IntrospectionRoute OIDC plugin enabled.

Kong Konnect Introspection Flow Route

The settings should be:

  • Config.Auth Methods
    Kong OIDC Configure.Auth Methods
  • Config.Issuer
    OpenID Connect Config Issuer
  • Config.Introspect Jwt Tokens
    OpenID Connect Config.Introspect Jwt Tokens
  • Config.Introspection Endpoint with a specific endpoint provided by Okta to implement introspection
    OpenID Connect Config.Introspection Endpoint

Test the Introspection Flow With Insomnia

To better view the flow, I will use Insomnia, Kong’s API spec editor, to send requests to both Okta and Konnect. Below are my two requests. 

The first one I’m sending to Okta, passing the expected parameters to get it authenticated and receive a token.

Insomnia Okta Token

For the second one to consume the route, I’m using a specific Insomnia capability called Request Chaining. With this, I’ll be able to extract values from the response of a given request to build new ones. In my case, I’m pulling the access token from Okta’s response to make the other request and then send it to Konnect.

Insomnia OpenID Connect Response

Insomnia Edit Tag for Okta and Kong Introspection Response

Next, let’s send a request to Okta to get our token. There it is.

Insomnia: Okta Introspection Token

This time, we can see that Kong’s request is ready to be sent since we got Okta’s token injected inside of it.

Insomnia: Get Bearer Response for OIDC

Insomnia: Edit tag for Okta introspection body

And here’s the Konnect response:

Insomnia: Preview Bearer Token OIDC

It’s important to note that Konnect is validating the token behind the scenes. Here’s one EC2 terminal where my data plane is running. Since I disabled introspection caching for the OIDC plugin, Konnect hits Okta for each request to validate the token.

Kong Konnect and Okta: Validate OIDC Token

Deactivate the Okta Application

Another way to see introspection is by deactivating the Okta application. All tokens related to it will be considered invalid and, as a consequence, will not be accepted by Kong again. 

Let’s get back to Okta’s application and deactivate it. We should get a 401 error code from Kong.

Okta and Kong Konnect: 401 Error Code

Protect Your Applications With Kong Konnect and Okta

Start a free trial, or contact us if you have any questions as you’re getting set up.

Once you’ve set up Konnect and Okta introspection flow, you may find these other tutorials helpful:

 

Tags:

Share Post: