We are using openid-connect plugin to introspect the incoming token, this was all good until recently the internal ID Provider decided to enforce mTLS to all requests including well known configuration and introspection. (We are on kong db-less mode, running within docker containers)
To handle these I have defined the certificates and keys as below:
certificates:
- id: c65bc4e6-dc32-4384-a3cc-2507df18ea58
cert: |
-----BEGIN CERTIFICATE-----
..............
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
..............
-----END RSA PRIVATE KEY-----
snis:
-name: "idp.endpoint"
I could only see there is an option to specify the client_certificate
on a service level, which openid-connect doesn’t use. I have read through the documentation however it only suggests about ssl_verify
which would enable certificate verification at Kong. However what I am actually looking at is passing these certs and keys to the IDP requests so the idp-server can use it for MTLS.
Is there a way to achieve that with current openid-connect plugin?