--- title: Kong API Gateway Integration description: Ping Identity provides a Kong Gateway integration that enables the use of PingAccess and other Ping Identity products for policy decisions. component: pingaccess version: 9.0 page_id: pingaccess:agents_and_integrations:pa_kong_api_gateway_integration canonical_url: https://docs.pingidentity.com/pingaccess/9.0/agents_and_integrations/pa_kong_api_gateway_integration.html revdate: April 11, 2025 --- # Kong API Gateway Integration Ping Identity provides a Kong Gateway integration that enables the use of PingAccess and other Ping Identity products for policy decisions. Integration with Kong Gateway allows PingAccess to handle the complexities of the OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* and OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* protocols, making it easier to manage access control in your API. Instead of making access control configurations repeatedly, install and configure the Kong plugin once and manage your access control rules in PingAccess. The following diagram explains how traffic flows through Kong Gateway and PingAccess. Workflow diagram illustrating the API flow process from the HTTP client inbound request to the API gateway through the API gateway outbound response to the HTTP client. 1. The HTTP client sends an inbound request to the API gateway. 2. The API gateway sends a sideband request to PingAccess. 3. PingAccess evaluates the request and sends a response to the API gateway. 4. The API gateway analyzes the response from PingAccess to determine whether the request should be forwarded to the API and, if so, whether any modifications should be made to the request. If the request is denied, PingAccess includes directives to influence how the API gateway responds to the HTTP Client. 5. The API sends an outbound response to the API gateway. 6. The API gateway passes the response to PingAccess for processing. 7. PingAccess sends a response to the API gateway. 8. The API gateway processes the response from PingAccess. If modifications should be made, the response to the HTTP client includes directives for modifying the response. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Review the following usage considerations before setting up the Kong plugin:- Mutual TLS (mTLS) This plugin supports client certificate authentication using mTLS. However, this feature requires using the `mtls-auth` plugin (only available in the Enterprise edition of Kong) in conjunction with `ping-auth`. Learn more in the [Kong mTLS-auth documentation](https://docs.konghq.com/hub/kong-inc/mtls-auth/). When configured, the `mtls-auth` plugin uses the mTLS process to retrieve the client certificate, which allows `ping-auth` to provide the certificate in the `client_certificate` field of the sideband requests. - Transfer-encoding Because of an outstanding defect in Kong, `ping-auth` is unable to support the `Transfer-Encoding` header, regardless of the value. - Logging limit Because of OpenResty's log level limit, log messages are limited to 2048 bytes by default, which is less than the size of many requests and responses. Learn more in the [OpenResty reference documentation](https://openresty-reference.readthedocs.io/en/latest/Lua_Nginx_API/#ngxlog). - HTTP/2 The Kong Gateway integration does not support HTTP/2. | To set up the Kong Gateway integration: 1. [Configure a sideband client in PingAccess to create a shared secret for Kong Gateway](pa_configuring_pa_for_kong_gateway_integration.html). 2. [Configure the `ping-auth` plugin in Kong Manager](pa_configuring_kong_gateway.html). 3. [Create a PingAccess application for the protected API and verify the connection between PingAccess and Kong Gateway](pa_verifying_the_connection.html).