OpenID Connect 1.0 RP is actually a suite of several Kong plugins related to OpenID Connect. There are several use cases that the plugins try to solve. The plugin suite consists of:
OpenID Connect Verification Plugin that is used for ID Token and access token verification, and supports automatic key rotation based on OpenID Connect Discovery, and caching. We also support dynamic rate-limiting based on the claims provided.
OpenID Connect Authentication Plugin implements OpenID Connect authentication flow within Kong. It manages the access and id tokens for the client, including caching and refreshing them, and provides the client a session.
OpenID Connect Protection Plugin is used with the authentication plugin to protect specific API services.
OpenID Connect Revocation Plugin allows the tokens to be revoked, and black-listed for usage.
OpenID Connect Dereferencing Plugin enables Kong to act as a central place where the opaque tokens are dereferenced and other information (e.g. OpenID Connect User Info) is gathered before the request is proxied to the API Service. This plugin also implements caching to ease the burden on external resources.
We look forward to expanding the plugin suite with new plugins as the need for them arises. So all feedback is welcome.
This plugin is only available with a Kong Enterprise subscription.
If you are not a Kong Enterprise customer, you can inquire about our Enterprise offering by contacting us.