コンテンツにスキップ
|
Plugin Hub
report-issue問題を報告する
header icon

Logout

By Kong Inc.

このページは、まだ日本語ではご利用いただけません。翻訳中です。

古いプラグインバージョンのドキュメントを閲覧しています。

The logout functionality is mostly useful together with the session authentication that is mostly useful with the authorization code flow.

As part of the logout, the OpenID Connect plugin implements several features:

  • Session invalidation
  • Token revocation
  • Relying party (RP) initiated logout

Prerequisites

In most cases, the OpenID Connect plugin relies on a third party identity provider (IdP). The examples in this guide use Keycloak as a sample IdP.

Expand the following sections to configure Keycloak and Kong Gateway.

Configure Keycloak

All the *.test domains in the following examples point to the localhost (127.0.0.1 and/or ::1).

We use Keycloak as the identity provider in the following examples, but the steps will be similar in other standard identity providers. If you encounter difficulties during this phase, refer to the Keycloak documentation.

  1. Create a confidential client kong with private_key_jwt authentication and configure Keycloak to download the public keys from [the OpenID Connect Plugin JWKS endpoint][json-web-key-set]:



  2. Create another confidential client service with client_secret_basic authentication. For this client, Keycloak will auto-generate a secret similar to the following: cf4c655a-0622-4ce6-a0de-d3353ef0b714. Enable the client credentials grant for the client:



  3. (Optional) Create another confidential client cert-bound with settings similar to the service client created previously. From the Advanced tab, enable the OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled toggle.

  4. (Optional, to test mTLS Client Authentication) Create another confidential client client-tls-auth with settings similar to the service client created above. From the Credentials tab, select the X509 Certificate Client Authenticator and fill the Subject DN field so that it matches the Kong client certificate’s, e.g.: CN=JohnDoe, OU=IT.

  5. (Optional, to test Demonstrating Proof-of-Possession Client Authentication) Create another confidential client client-dpop-auth with settings similar to the service client created above. From the Advanced tab, enable theOAuth 2.0 DPoP Bound Access Tokens Enabled toggle.

  6. Create a verified user with the name: john and the non-temporary password: doe that can be used with the password grant:

Alternatively you can download the exported Keycloak configuration, and use it to configure the Keycloak. Please refer to Keycloak import documentation for more information.

You need to modify Keycloak standalone.xml configuration file, and change the socket binding from:

<socket-binding name="https" port="${jboss.https.port:8443}"/>

to

<socket-binding name="https" port="${jboss.https.port:8440}"/>

The Keycloak default https port conflicts with the default Kong TLS proxy port, and that can be a problem if both are started on the same host.

Note: The mTLS Client Authentication, along with the proof of possession feature that validates OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, both require configuring Keycloak to validate client certificates with mTLS using the --https-client-auth=request option, and to configure TLS appropriately, including adding the trusted client certificates to the truststore. For more information, refer to the Keycloak documentation.

Configure Kong Gateway

  1. Create a service:

     curl -i -X POST http://localhost:8001/services \
   --data "name=openid-connect" \
   --data "url=https://httpbin.konghq.com/anything"

  2. Create a route:

     curl -i -X POST http://localhost:8001/services/openid-connect/routes \
   --data "name=openid-connect" \
   --data "paths[]=/"

Set up logout with OIDC

Let’s patch the OpenID Connect plugin to provide the logout functionality:

http -f patch :8001/plugins/5f35b796-ced6-4c00-9b2a-90eef745f4f9 \
  config.auth_methods=session                                    \
  config.auth_methods=password                                   \
  config.logout_uri_suffix=/logout                               \
  config.logout_methods=POST                                     \
  config.logout_revoke=true

HTTP/1.1 200 OK

{
    "id": "5f35b796-ced6-4c00-9b2a-90eef745f4f9",
    "name": "openid-connect",
    "service": {
        "id": "5fa9e468-0007-4d7e-9aeb-49ca9edd6ccd"
    },
    "config": {
        "auth_methods": [ "password", "session" ],
        "logout_uri_suffix": "/logout",
        "logout_methods": [ "POST" ],
        "logout_revoke": true
    }
}

Login and establish a session:

http -a john:doe --session=john :8000

HTTP/1.1 200 OK

Test that session authentication works:

http --session=john :8000

HTTP/1.1 200 OK

Logout, and follow the redirect:

http --session=john --follow -a john: post :8000/logout

HTTP/1.1 200 OK

We needed to pass -a john: as there seems to be a feature with HTTPie that makes it to store the original basic authentication credentials in a session - not just the session cookies.

At this point the client has logged out from both Kong and the identity provider (Keycloak).

Check that the session is really gone:

http --session=john :8000

HTTP/1.1 401 Unauthorized