Closed devdavidkarlsson closed 5 years ago
Trojan295
commented
6 years ago Is this a feature request?
The plugin was developed to support the OIDC Authorization Code Flow and in this case the client secret should be used. Kong can be considered as an backend serving content, so the Authorization Code Flow is recommended.
devdavidkarlsson
commented
6 years ago We are not using kong as a backend, but an API gateway. I think the JWT plugin may better suit our use-cases.
Thanks.
Trojan295
commented
6 years ago Yeah, I know, but you can consider Kong as a proxy to your backends. That's why is supports the Authorization Code Flow. Implementing other flows on Kong is a bit pointless pointless.
novacp
commented
6 years ago @Trojan295 I kind of disagree with your last statement "Implementing other flows on Kong is a bit pointless pointless.", let's consider the following use-case:
Using OAuth2/OIDC as SSO, e.g. with Keycloak, for my own microservices and first party spa client. A standard JWT authentication would also work, but it is a common use case to integrate as SSO solution as it gives a lot of advantages, especially in combination with an IAM tool like keycloak.
Therefore, I would have the SPA Client send a login request, containing username and password of the end user to Kong, which then acts as the RP for keycloak initiating the password grant request to keycloak. This common scenario cannot be integrated with kong-oidc, as the password grant is needed, can it?
also see: https://github.com/nokia/kong-oidc/issues/54
Kong ee allows using password grant in this usecase.
Trojan295
commented
6 years ago @devdavidkarlsson, can we close this ticket in favor of #54?
config.client_secret=required
Meaning this plugin cannot be used for APIs with public oidc client, meaning where the client_secret isn't sent at all.
Also it cannot be used when multiple clients are to consume the api, since only one client_id, secret pair is set.
Thanks.