Openid-connect plugin, how to use mTLS to authenticate the IDP server?

We are using openid-connect plugin to introspect the incoming token, this was all good until recently the internal ID Provider decided to enforce mTLS to all requests including well known configuration and introspection. (We are on kong db-less mode, running within docker containers)

To handle these I have defined the certificates and keys as below:

  - id: c65bc4e6-dc32-4384-a3cc-2507df18ea58
    cert: |
       -----BEGIN CERTIFICATE----- 
       -----END CERTIFICATE-----
    key: |
       -----BEGIN RSA PRIVATE KEY----- 
       -----END RSA PRIVATE KEY-----
       -name: "idp.endpoint"

I could only see there is an option to specify the client_certificate on a service level, which openid-connect doesn’t use. I have read through the documentation however it only suggests about ssl_verify which would enable certificate verification at Kong. However what I am actually looking at is passing these certs and keys to the IDP requests so the idp-server can use it for MTLS.

Is there a way to achieve that with current openid-connect plugin?

If you are referring to tls_client_auth RFC8705, it is not supported as far as I know.

Kong OIDC plugin supports client_secret_basic, client_secret_post, client_secret_jwt,private_key_jwt and none for config.client_auth.

1 Like