Kong Manager OIDC

I’m trying to set up Kong Manager (2.5.x) with Ping OIDC. I got to the point where the Manager UI redirects to Ping to log in, but it immediately gives me an error like this once I log in to Ping:

https://kong-admin.mydomain.com/auth?code=xxx&state=yyy
{"message":"Invalid credentials. Token or User credentials required"}

My admin_gui_auth_conf_secret looks like this:

{                                      
    "issuer": "https://auth.pingone.com/zzz/as/.well-known/openid-configuration",
    "consumer_by": [ "username", "id", "custom_id" ],
    "consumer_claim": [ "username" ],
    "client_id": ["client id"],
    "client_secret": ["client secret"],
    "authenticated_groups_claim": ["group"],
    "ssl_verify": false,
    "leeway": 60,
    "logout_methods": ["GET", "DELETE"],
    "logout_query_arg": "logout",
    "redirect_uri": [ "https://kong-admin.mydomain.com/auth" ],
    "login_redirect_uri": [ "https://kong-admin.mydomain.com" ],
    "scopes": ["openid", "profile", "email"],
    "auth_methods": ["authorization_code"]
}

The domain name for Kong Manager is kong-manager.mydomain.com and the Admin API is at kong-admin.mydomain.com, both are being served from the default https port (443).

Any ideas on what’s wrong with my configuration?

1 Like

Hi @gerco - Did you ever solve this to use the OIDC plugin with Kong Manager? We also have kong admin api and manager on different hostnames

I can’t quite remember what we did to solve the issue, but this is the admin_gui_auth_config that ended up working for us.

{
    "issuer": "https://auth.pingone.com/xxx/as",
    "admin_claim": "email",
    "consumer_claim": [ "email" ],
    "consumer_by": [ "id", "username", "custom_id" ],
    "client_id": ["client id"],
    "client_secret": ["client secret"],
    "authenticated_groups_claim": ["kongRoles"],
    "ssl_verify": false,
    "leeway": 60,
    "logout_methods": ["GET", "DELETE"],
    "logout_query_arg": "logout",
    "redirect_uri": [ "https://kong-manager.ourdomain.com/" ],
    "scopes": ["openid", "profile", "email"],
    "auth_methods": ["authorization_code"]
}

In Ping, we created a separate attribute kongRoles that contains the role names each user should have. I think it’s set by Ping group memberships but I don’t know for sure how that part works.

1 Like

Thank you @gerco that helped us a ton! We ended up with a config like this:

{
        "issuer": "https://***.***.com",
        "admin_claim": "email",
        "client_id": [
                "***"
        ],
        "client_secret": [
                "***"
        ],
        "consumer_optional": true,
        "by_username_ignore_case": true,
        "authenticated_groups_claim": [
                "roles"
        ],
        "scopes": [
                "openid",
                "profile",
                "email"
        ],
        "ssl_verify": true,
        "leeway": 90,
        "redirect_uri": [
                "https://research-api-manager.*.com/"
        ],
        "logout_query_arg": "logout",
        "logout_methods": ["GET", "DELETE"],
        "auth_methods": [
                "authorization_code"
        ]
}