コンテンツにスキップ
|
Plugin Hub
report-issue問題を報告する
header icon

Mutual TLS Client Authentication

By Kong Inc.

このページは、まだ日本語ではご利用いただけません。翻訳中です。

古いプラグインバージョンのドキュメントを閲覧しています。

Mutual TLS client authentication

The OpenID Connect plugin supports mutual TLS (mTLS) client authentication with the IdP. When mTLS authentication is enabled, Kong establishes mTLS connections with the IdP using the configured client certificate.

You can use mTLS client authentication with the following IdP endpoints and corresponding flows:

For all these endpoints and for the flows supported, the plugin uses mTLS client authentication as the authentication method when communicating with the IdP, for example, to fetch the token from the token endpoint.

Requirements for an mTLS client auth configuration

Auth server configuration

The feature requires the IdP to be enabled to use mTLS and X.509 client certificate authentication. For configuring this in Keycloak, refer to the Keycloak configuration section below. For different auth servers, refer to their documentation to configure this functionality.

Kong configuration

Certificates

For mTLS connections, create a certificate and key pair for Kong Gateway to use when connecting to the IdP:

http -f post :8001/certificates cert@crt.pem key@key.pem

SSL verify

The configuration option tls_client_auth_ssl_verify controls whether the server (IdP) certificate is verified.

When set to true (the default value), ensure trusted certificate and verify depth are appropriately configured so that the IdP’s server certificate is trusted by Kong and the handshake can be performed successfully.

Demo

Prerequisites

Follow these prerequisites to set up a demo Keycloak app and a Kong service and route for testing mTLS client auth.

In most cases, the OpenID Connect plugin relies on a third party identity provider (IdP). The examples in this guide use Keycloak as a sample IdP.

Expand the following sections to configure Keycloak and Kong Gateway.

Configure Keycloak

All the *.test domains in the following examples point to the localhost (127.0.0.1 and/or ::1).

We use Keycloak as the identity provider in the following examples, but the steps will be similar in other standard identity providers. If you encounter difficulties during this phase, refer to the Keycloak documentation.

  1. Create a confidential client kong with private_key_jwt authentication and configure Keycloak to download the public keys from [the OpenID Connect Plugin JWKS endpoint][json-web-key-set]:



  2. Create another confidential client service with client_secret_basic authentication. For this client, Keycloak will auto-generate a secret similar to the following: cf4c655a-0622-4ce6-a0de-d3353ef0b714. Enable the client credentials grant for the client:



  3. (Optional) Create another confidential client cert-bound with settings similar to the service client created previously. From the Advanced tab, enable the OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled toggle.

  4. (Optional, to test mTLS Client Authentication) Create another confidential client client-tls-auth with settings similar to the service client created above. From the Credentials tab, select the X509 Certificate Client Authenticator and fill the Subject DN field so that it matches the Kong client certificate’s, e.g.: CN=JohnDoe, OU=IT.

  5. (Optional, to test Demonstrating Proof-of-Possession Client Authentication) Create another confidential client client-dpop-auth with settings similar to the service client created above. From the Advanced tab, enable theOAuth 2.0 DPoP Bound Access Tokens Enabled toggle.

  6. Create a verified user with the name: john and the non-temporary password: doe that can be used with the password grant:

Alternatively you can download the exported Keycloak configuration, and use it to configure the Keycloak. Please refer to Keycloak import documentation for more information.

You need to modify Keycloak standalone.xml configuration file, and change the socket binding from:

<socket-binding name="https" port="${jboss.https.port:8443}"/>

to

<socket-binding name="https" port="${jboss.https.port:8440}"/>

The Keycloak default https port conflicts with the default Kong TLS proxy port, and that can be a problem if both are started on the same host.

Note: The mTLS Client Authentication, along with the proof of possession feature that validates OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, both require configuring Keycloak to validate client certificates with mTLS using the --https-client-auth=request option, and to configure TLS appropriately, including adding the trusted client certificates to the truststore. For more information, refer to the Keycloak documentation.

Configure Kong Gateway

  1. Create a service:

     curl -i -X POST http://localhost:8001/services \
   --data "name=openid-connect" \
   --data "url=https://httpbin.konghq.com/anything"

  2. Create a route:

     curl -i -X POST http://localhost:8001/services/openid-connect/routes \
   --data "name=openid-connect" \
   --data "paths[]=/"

Set up mTLS for the OIDC plugin

Using the Keycloak and Kong Gateway configuration from the prerequisites, set up an instance of the OpenID Connect plugin.

For the demo, we’re going to set up the following:

  • Issuer, client ID: Settings that connect the plugin to your IdP (in this case, the sample Keycloak app).
  • client_auth: Must use TLS (tls_client_auth).
  • Auth methods: For demo purposes, we use the password grant, but you can use any supported auth method.
  • tls_client_auth_cert_id: Pass the ID of the certificate object you created via /certificates.

With all of the above in mind, let’s test out mTLS client auth with the password grant, using Keycloak as the IdP. Enable the OpenID Connect plugin on the openid-connect service:

次のリクエストを行います。

curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "openid-connect",
  "config": {
    "issuer": "http://keycloak.test:8080/auth/realms/master",
    "client_id": "client-tls-auth",
    "client_auth": "tls_client_auth",
    "auth_methods": [
      "password"
    ],
    "tls_client_auth_cert_id": "1e0721c1-fd43-494c-9864-007bbba98c8c"
  }
}
    '
SERVICE_NAME IDを、このプラグイン構成の対象となるサービスの idまたはnameに置き換えてください。

独自のアクセストークン、リージョン、コントロールプレーンID、サービスIDを代入して、次のリクエストを行ってください。

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"openid-connect","config":{"issuer":"http://keycloak.test:8080/auth/realms/master","client_id":"client-tls-auth","client_auth":"tls_client_auth","auth_methods":["password"],"tls_client_auth_cert_id":"1e0721c1-fd43-494c-9864-007bbba98c8c"}}'

地域固有のURLと個人アクセストークンの詳細については、 Konnect API referenceをご参照ください。

まず、KongPlugin リソースを作成します:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: openid-connect-example
plugin: openid-connect
config:
  issuer: http://keycloak.test:8080/auth/realms/master
  client_id: client-tls-auth
  client_auth: tls_client_auth
  auth_methods:
  - password
  tls_client_auth_cert_id: 1e0721c1-fd43-494c-9864-007bbba98c8c
" | kubectl apply -f -

次に、次のようにserviceに注釈を付けて、KongPluginリソースをイングレスに適用します。

kubectl annotate service SERVICE_NAME konghq.com/plugins=openid-connect-example

SERVICE_NAMEを、このプラグイン構成が対象とするサービスの名前に置き換えます。 kubectl get serviceを実行すると、利用可能なイングレスを確認できます。

注: KongPluginリソースは一度だけ定義するだけで、ネームスペース内の任意のサービス、コンシューマー、またはルートに適用できます。プラグインをクラスター全体で利用可能にしたい場合は、KongPluginの代わりにKongClusterPluginとしてリソースを作成してください。

このセクションを宣言型構成ファイルに追加します。

plugins:
- name: openid-connect
  service: SERVICE_NAME|ID
  config:
    issuer: http://keycloak.test:8080/auth/realms/master
    client_id: client-tls-auth
    client_auth: tls_client_auth
    auth_methods:
    - password
    tls_client_auth_cert_id: 1e0721c1-fd43-494c-9864-007bbba98c8c
SERVICE_NAME IDを、このプラグイン構成の対象となるサービスの idまたはnameに置き換えてください。
前提条件: パーソナルアクセストークンの設定 
terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Kong Konnectゲートウェイプラグインを作成するには、Terraform 構成に以下を追加します。

resource "konnect_gateway_plugin_openid_connect" "my_openid_connect" {
  enabled = true

  config = {
    issuer = "http://keycloak.test:8080/auth/realms/master"
    client_id = "client-tls-auth"
    client_auth = "tls_client_auth"
    auth_methods = ["password"]
    tls_client_auth_cert_id = "1e0721c1-fd43-494c-9864-007bbba98c8c"
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

Test mTLS client auth

Access the service using the password auth method. Kong will access the IdP’s token endpoint using the mTLS Client Authentication with the configured certificate:

curl http://localhost:8000/openid-connect --user john:doe

If successful, you should receive a 200 status code:

HTTP/1.1 200 OK