Best practice for creating new consumer resources

When creating consumer resources, is there a recommended approach for what values to use for the username and custom_id attributes? In our case, we use OAuth for API security, and the access tokens generated by the ID include the IdP-generated client ID as a claim, not the app name. So when creating a consumer resource in Kong to represent this:

  • username = application name registered in IdP
  • custom_id = OAuth client ID

The issue I’ve just run into is that the Python PDK only provides a way to find a consumer resource by the username, not the custom_id. With the tokens received from clients, I only have the value in custom_id. So now wondering if we should have reversed the values used in the consumer attributes?

hi @shawnc1959-8451

Thanks for reporting this. What version is this?

Your usage is correct. We are looking into the python PDK and will revert back.

As an alternate, would it be possible to include the application name as another claim in the minted tokens? Then the PDK can look up the username in the token. This will unblock you.

Thanks
-Veena

Hi @Veena_Rajarathna thanks for the response.

What version is this?

Not exactly sure which version you mean, but we’re using Kong v3.5. As for the Python PDK, we’re pulling the most current version, which looks to be v0.36.

I know the Lua PDK exposes the kong.db interface, which provided methods to search for a consumer object ID by either the username or custom_id values. But with the Python PDK, it looks like the only option is to call kong.client.load_consumer() which expect you to pass it the consumer ID, or pass a 2nd optional boolean parameter to search by the username; nothing that I can find to search by custom_id. Which is why my question about how Kong expects you to populate the consumer attributes when creating it.

As an alternate, would it be possible to include the application name as another claim in the minted tokens?

We can look into that. This plugin is intended to be able to process tokens from multiple IdP’s, so we’d have to be able to do that from all of them; not sure how likely that will be.