kong-oidc

OpenID Connect and token introspection plugin for Kong Gateway 3.x.

kong-oidc is a Kong Gateway plugin that secures APIs with OpenID Connect.
It authenticates browser sessions via the authorization-code flow and
validates bearer access tokens via RFC 7662 token introspection, then
injects the verified caller identity into upstream requests.

Built for Kong OSS 3.9.3 on lua-resty-openidc 1.8.0. This is a modified
Apache-2.0 fork of the Nokia kong-oidc plugin, modernized for Kong 3.x.

Highlights:
- Bearer/API mode: introspection with 401 on failure (no browser fallback)
- Browser mode: authorization-code flow with encrypted session cookies
- Exact-path filters (no Lua patterns), TLS verification on by default
- Identity headers (X-Userinfo / X-ID-Token / X-Access-Token) stripped from
client requests and re-injected from verified identity to prevent spoofing
- Typed Kong 3 schema with cross-field validation (HTTPS endpoints, 32-byte
session secret)

Install: luarocks install davidgrldo/kong-oidc
Source/docs: https://github.com/davidgrldo/kong-oidc

Versions

2.1.0-18 hours ago1 download
2.0.0-12 days ago9 downloads

Dependencies

lua >= 5.1

Dependency for

JWKS Aware OAuth/JWT Access token validator, oauth-jwks-validator