Here in my current job, we are evaluating the KONG-OIDC plugin to be our auth solution in addition to an IDP provider (Auth0, Okta, Cognito), our goal with the kong-OIDC is that we could have a single point handling the communication to the IDP for all clients we have(web and mobile) and for all the login types (user_pass and social)
Regarding the plugin we currently have it running just fine the only doubt we have is regarding the social login, is the social login supposed to be handled by the Kong OIDC? I see a lot of examples of people using it for the classic auth_flow but I didn’t see any for social login.
Feel free to ask/correct my post if something is not clear.
I think you can use Auth0 / Okta and perhaps Cognito to provide social login, then configure Kong OpenID Connect plugin to talk OpenID Conenct to Auth0 / Okta / Cognito. Or are you looking for something else? If the social login supports OAuth 2.0 or OpenID Connect you can use Kong OpenID Connect also directly on them. But AFAIK when people say social login they usually mean proprietary login implemented by each social media platform. Does this answer your question?
Thanks for the answer, actually are trying this approach using Kong open id plugin not only for the classic user and password flow but also for the social logins using the providers you mentioned. I was just wondering if using the openid plugin for the social logins flow as well was somehow wrong or no the best ideal, because we could easily of course to do the social login using the IDP sdks but we were actually aiming to have all the authentication options managed by the kong plugin
As IDPs already implement connectors / federate with the social media the OpenID Connect is just one protocol that the IDP provides. It could also provide SAML or WS-Federation for example. It is just two flows stacked together. I am not sure if there are social login plugins to Kong (perhaps 3rd party), but I think most of the business is moving to OpenID Connect.
As the social logins are in many cases proprietary, it might not be option to use OpenID Connect plugin directly with social media login (if social media uses OAuth 2.0 based flow, it might be possible), so the choices are basically (from kong side of view):
- use idp that can do social logins as well and wrap that to OpenID Connect (I would prefer this)
- find / develop such a plugin
I have heard that people do things like Kong -> OpenID Connect -> Azure AD -> SAML -> ADFS -> SAML -> Azure AD -> OpenID Connect -> Kong. This is also two flows wrapped up together. 1 flow between Kong and Azure AD and 2nd flow with Azure AD and ADFS (Azure AD speaks both protocols and can convert SAML assertions to OpenID Connect claims).
Thank you very much for the clarification.