Use OIDC to Secure Kong Manager and Admins Group Mapping
Introduction
I wrote a post about deploying Kong and Konga before because users can only use Admin API
to configurate Kong Gateway OSS. Kong Gateway Enterprise comes with a GUI called Kong manager which is very powerful for configurating Kong entities. Users can use basic auth, LDAP or OIDC authentication to protect Kong manager. In today’s post, I will talk about setting up up OIDC authentication for Kong manager and how to map IDP groups to Kong groups.
Prerequisite:
- Kong Gateway Enterprise
- A running IDP with existing users and groups set up
- You’ve read official documentation
You might be wondering why I write this post when users can just follow official documentations. The reason is that official docs can be too simple sometimes and it does not cover enough detail to explain how it works.
Parameters
There are 4 kong parameters you need to use. enforce_rbac
, admin_gui_auth
, admin_gui_session_conf
and admin_gui_auth_conf
.
- enforce_rbac
If you don’t set this variable, you will getError: enforce_rbac must be enabled when admin_gui_auth is enabled
. Make sure you set this to true. - admin_gui_session_conf
This variable is used to specify configuration for the session plugin used by Kong manager. If you don’t set it, you will getadmin_gui_session_conf must be set when admin_gui_auth is enabled
error. - admin_gui_auth
This variable is used to specify which authentication method you want to use. Currently Kong manager supportsbasic-auth
,ldap-auth-advanced
andopenid-connect
. - admin_gui_auth_conf
In this tutorial I will use this variable to configurate OIDC plugin for logging in Kong manager.
Session settings of Kong manager is well explained on Kong’s official doc here. Please read it first and decide what you need to use. For demonstration purpose, I will use below for admin_gui_session_conf.
1 | { |
OIDC Configuration Explain
In the official doc, the example of admin_gui_auth_conf
is as below.
1 | { |
You need to modify these values based on your IDP requirements. For example, issuer
, client_id
, client_secret
, redirect_url
need to be changed. You might also need to change scopes
if your IDP requires different scope for authorization code flow. ( For example Azure requires a <client_id>/.default
in scope).
One important setting you need to pay attention to is consumer_claim
. This has direct impact on how you create username for your kong manager admins.
Kong was using email
in the official doc, which is convenient but could be problmatic if you want to enable developer portal later.
What consumer_claim
does is to map a claim from your IDP issued token to the username of Kong admin. For example, if the issued id_token
has a custom claim "kong-admin": "john_smith"
, you can set "consumer_claim": ["kong-admin"]
and then create your kong admin with username=john_smith
.
You can create your Kong admin on Kong manager or via Admin API below. (Below requests create an admin on default workspace with super-admin privilege)
Create Admin User
1
2
3
4
5
6
7curl --request POST \
--url http://localhost:8001/default/admins \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Kong-Admin-Token: <RBAC_TOKEN>' \
--data username=john_smith \
--data [email protected] \
--data rbac_token_enabled=falseAssign Role to this User
1
2
3
4
5curl --request POST \
--url http://localhost:8001/default/admins/john_smith/roles \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Kong-Admin-Token: <RBAC_TOKEN>' \
--data roles=super-admin
Once I’ve put the right values in admin_gui_auth_conf
and start Kong, when user log in Kong manager as john_smith
, he will be forwarded to IDP to authenticate themselves.
Group Mapping Explain
As we can see from above, users get their privileges from their assigned role(s). If we don’t set their role, they won’t see anything after log in. If there are only a few kong admins, it might not be an issue, however, it will be a problem when you have a lot of admins.
Luckily Kong supports mapping groups claims from IDP token to a Kong Group. The official document explains it clearly.
What you need to do are below:
- Create Kong groups.
- Assign roles to each group.
- Match
authenticated_groups_claim
to the claim variable name and make sure group claim value is the same as the kong group name.
For example, if the groups claim from IDP’s token is "groups":["kong-super-admin"]
, we need to set authenticated_groups_claim=groups
and create our Kong group name as kong-super-admin
and assign appropriate permission to this group.
Add groups claim to different IDP
The method to add group claim to id_token
can be tricky. For example, I haven’t found a way to add group names to AzureAD issued id_token
. What I can add in the id_token
is something like "groups":["2354a1b9-a8c6-426a-a827-b7b97895b453"]
. so I have to create my Kong group name to 2354a1b9-a8c6-426a-a827-b7b97895b453
.
Below are the steps to add group claims for the IDPs that I have tested. I will add more if I got a chance to play with other IDPs.
Keycloak
Keycloak is very flexible and easy to use. Users can choose to add groups claims to a client or to a scope.
Add to a client
- Go to
Clients
tab on the left penal and click the client you want to use. - Go to
Mappers
tab - Click
Create
button - Choose
Group Membership
forMapper Type
and name your group claim inToken Claim Name
. Normally I will usegroups
in bothName
andToken Claim Name
. Full group path
is on by default, this will show the full path if you have subgroups. It will add/
in front of the group value. If you don’t use subgroups, it might be better to turn it off.
After that ALL tokens issued for this client will include groups
claim.
Add to a scope
Users can also add groups claim to a custom scope.
- Click
Client Scopes
on the left penal of dashboard and click Create. - You need to create a scope name. I name this scope
groups
and Save. - You should see
Mappers
tab now. You can just follow above steps (from step 2) to addGroup Membership
. - Add newly created scope to client.
- Go back to Keycloak Dashboard ➡
Clients
➡ select the client you want to use. - Go to
Client Scopes
tab. Addgroups
scope as optional scope.
- Go back to Keycloak Dashboard ➡
After that, if you need groups information in your id_token, you can request it with scope groups
.
As this post is about using OIDC for kong manager, to use the group information, you need to change "scopes": ["openid","profile","email","offline_access"]
to "scopes": ["openid","profile","email","offline_access","
groups
"]
to get the group claim and use it with authenticated_groups_claim
.
Auth0
To add group values to Auth0 applications, you would need to use their Authorization Extension
. Here is the official doc.
Here are the steps:
- Install extension
- Log in to auth0 deshboard → Extensions on left penal
- Search
Authorization
and install the plugin
- Config Extension
- Click this extension
- Click Groups tab and then create groups
- Add users to groups
- Add claim via
Rules
Go back to Auth0 dashboard →
Auth Pipeline
→Rules
on left penal.Click
Create
→ Empty ruleGive it a name and then put in below code. (This code can be found on official doc here)
1
2
3
4
5
6
7
8function (user, context, callback) {
var namespace = 'http://yourdomain/claims/'; // You can set your own namespace, but do not use an Auth0 domain
// Add the namespaced tokens. Remove any which is not necessary for your scenario
context.idToken[namespace + "groups"] = user.groups;
callback(null, user, context);
}
There is a catch here. Auth0 requires Namespaced Custom claims
hence users are not allow to use groups
as the group name. From above code you can see users can define groups claim name with namespace
variable. For example we can use something like “http://aufomm/demo/groups“ as group variable name.
You will get "http://fomm/groups": ["kong-super-admin"]
returned from id_token
s. To use this group information with Kong manager, you need to set authenticated_groups_claim=http://aufomm/demo/groups
Okta
Okta developer account comes with default authorization server. Normally its url will be https://<yourdomain>.okta.com/oauth2/default
. Users can choose to create a new authorization server or use existing one.
Here are the step to add group claim to authorization server:
- On Okta Dashboard, go to Security → API
- Click the authorization server you want to use.
- Add
groups
claim- Create Scope (optional)
Go toScopes
tab and create a new scopegroups
- Add Claim to all application
- Go to
Claims
tab - Click Add Claim button
- Enter
groups
as name - Select
ID Token
in Include in token type - Select
Groups
in Value type - Select
Matches regex
and.*
in Filter - Include in
Any scope
or chooseThe following scopes
and then enter your scope namegroups
we define above.
- Enter
- Go to
- Create Scope (optional)
If you choose Any scope
you can get groups claims in your id_token
for all your requests through this authorization server. Otherwise you need to request groups
scope specifically to get this claim.
The group claim you get looks like "groups":["Everyone","kong-readonly"]
. We can see there is a value Everyone
in it. Unless you want to create a Kong group for Everyone
, please don’t create a Kong Group called Everyone
.
Azure
This could be the easiest IDP we’ve talked about today although I am still not able to find a way to show real group name in id_token
.
If you know how to set up group claims on AzureAD correctly, please leave me a comment. Thank you
Here are the step:
- Go to
App registrations
- Select
Token configuration
on the left penal - Click
Add groups claim
- Tick
All groups (includes distribution lists but not groups assigned to the application)
- Customize token properties by type → ID →
sAMAccountName
. Actually any selection selelction withsAMAccountName
will work.
Now when you request token, you will get "groups":["2354a1b9-a8c6-426a-a827-b7b97895b453"]
in your id_token
. You need to create your Kong group name with this ID.
Woohoo, I did not expect to write such a long post before I started.
I hope this article can be of any help.