kong-oidc is a Kong Gateway plugin that secures APIs with OpenID Connect.
It authenticates browser sessions via the authorization-code flow and
validates bearer access tokens via RFC 7662 token introspection, then
injects the verified caller identity into upstream requests.
Built for Kong OSS 3.9.3 on lua-resty-openidc 1.8.0. This is a modified
Apache-2.0 fork of the Nokia kong-oidc plugin, modernized for Kong 3.x.
Highlights:
- Bearer/API mode: introspection with 401 on failure (no browser fallback)
- Browser mode: authorization-code flow with encrypted session cookies
- Exact-path filters (no Lua patterns), TLS verification on by default
- Identity headers (X-Userinfo / X-ID-Token / X-Access-Token) stripped from
client requests and re-injected from verified identity to prevent spoofing
- Typed Kong 3 schema with cross-field validation (HTTPS endpoints, 32-byte
session secret)
Install: luarocks install davidgrldo/kong-oidc
Source/docs: https://github.com/davidgrldo/kong-oidc