Secure Web Application using Gluu Gateway Multi-step OpenID Connect OAuth security

What is Gluu Gateway?


  • The request hits Gluu Gateway first — it is the Internet-facing endpoint/page.
  • As per the configuration, GG will behave and proceed with the OpenID Connect Code Authentication Flow.


OpenID Provider

Gluu Gateway(GG)

  • Gluu Gateway UI: This is the Admin web interface where you can configure your backend API, routes, consumer, and plugins. Note: the admin UI just calls the Kong Admin Endpoint. So anything you can do in the UI, you can do via API’s. There is even a log in the Admin UI which tells you the equivalent curl command you could have made.
  • GG Plugins: Gluu Gateway provides several plugins. Check here for list. We are only using the gluu-oauth-auth plugin for request authentication.
  • OXD: OXD exposes simple, static APIs web application developers can use to implement user authentication and authorization against an OAuth 2.0 authorization server like Gluu. The Gluu Plugins call oxd API’s. This reduced the amount of protocol code in the Kong plugins.

Backend Web-App (Protected Resources)


Gluu Server enable OTP Auth

  1. In oxTrust, navigate to Configuration > Person Authentication Scripts
  2. Enable the otp script

Gluu Gateway configuration

  1. Configure Service
  2. Configure Route
  3. Configure gluu-openid-connect plugin

1. Configure Service

  • Click SERVICES on left panel
  • Click on + ADD NEW SERVICE button
  • Fill in the following boxes:
  • Name: oidc-steppedup-demo
  • URL: http://localhost:4400, register as per your web application configuration. My web app is running on 4400 port.

2. Configure Route

  • Click on the oidc-steppedup-demo service
  • Click the + ADD ROUTE button
  • Fill in the following boxes:
  • Name: oidc-steppedup-demo
  • Hosts: <your-server-host>, Tip: Press Enter to accept the value. This tutorial uses a server with an updated /etc/hosts file. This is the host that will be requested in the browser after configuration. If you are using live servers, register the domain host instead. The rest of the tutorial will use as an example, replace it with your host. Check the Kong docs for more routing capabilities.

3.Configure Plugin

  • Click ROUTES on the left panel
  • Click on the route id/name with as the host
  • Click on Plugins
  • Click on + ADD PLUGIN button
  • You will see Gluu OIDC & UMA PEP title and + icon in pop-up.
  • Click on the + icon and it will show the below form. Add the ACR expression as in the below screenshots.
  • OTP stepped-up auth for path /payments/??
  • simple_password_auth authentication for all other paths. Check here for more details about ACR expressions.


  1. Once you send a request to the Kong proxy, the plugin will redirect the request to the OP side. The OP will request for the username and password, because we added the simple_password_auth ACR for any path /??.


  1. Multiple authentication is not in code — it’s in the HTTP routing infrastructure. That means you can change the authentication methods without touching your code.
  2. Your backend web app is not Internet-facing
  3. You can implement other security, like limiting transaction volume (i.e. how many calls per hour, day etc can a client make).
  4. Developers don’t need to know anything about OpenID Connect OAuth — they can just code the functionality they need, and focus on fine grain authorization.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store