Hello Team,
I am working on an integration where Kong acts as a Trusted Broker to retrieve secrets from CyberArk Conjur using the authn-jwt authenticator.
The proposed flow:
-
Client authenticates to Kong (OIDC/API Key).
-
Kong performs a Client Credentials grant with Ping IDP to obtain its own Workload JWT.
-
Kong exchanges this JWT with Conjur for a short-lived access token.
-
Kong retrieves the backend API secret and injects it into the upstream request.
Since this requires an ‘outbound’ identity handshake before the ‘upstream’ call, would you recommend building this as a custom Lua plugin in the access phase, or is there a way to leverage the existing OIDC plugin for this multi-step token exchange? Any insights on performance overhead for this JIT secret retrieval would be greatly appreciated.
Regards
Nirmal