1

About Setups :-

  1. My kong gateway is setup with kong-oidc plugin (free one)
  2. I defined introspection_endpoint, client_id, client_secret, discovery and other necessary configs for kong-oidc in the gateway setup
  3. UI is react SPA application
  4. React app uses PKCE auth flow for login to IDP (Okta).

My plan and expectation :-

  1. React app initiates login process (PKCE flow) and get access_token without kong involvement at all. This is done.
  2. Send access_token from above step in the subsequent api request calls
  3. I assumed kong-oidc plugin will validate the access_token using discovery document defined in the config and will forward the request to the upstream service.

Issue I am having :-

Application is hitting api call rate limit to Okta. But we are not explicitly making any call to Okta. Seems like kong-oidc plugin is making call to validate access_token on every request.

What I am NOT doing :-

  1. We are NOT using Kong authentication session cookie at all as we are using PKCE auth flow and authentication is completely handle in UI itself.

Questions :-

  1. Using PKCE flow in the SPA app is not correct with Kong gateway + kong-oidc plugin?
  2. Should I use Kong authentication session cookie instead of PKCE flow? If so Kong authentication session cookie is the only way in kong gateway + kong-oidc world?
Premchandra Singh
  • 14,156
  • 4
  • 31
  • 37

0 Answers0