PingAuthorize

Troubleshooting the Kong Gateway integration

Consult the following sections to troubleshoot issues with the Kong Gateway integration with PingAuthorize:

Troubleshooting API client HTTP 5xx errors

About this task

Kong Gateway might return HTTP 502 when there is misconfiguration or miscommunication between the Ping Identity plugin for Kong Gateway and PingAuthorize Server.

The plugin for Kong Gateway logs warning messages to the Kong Gateway error log when it encounters problems communicating with PingAuthorize.

For more information, see Enabling error logging in Kong Gateway.

Steps

  1. Check the ping-auth shared secret value in Kong Gateway to confirm it matches your PingAuthorize environment.

    Example:

    If the ping-auth Config.Shared Secret value doesn’t match the PingAuthorize sideband client’s shared secret value, the Kong error log message might indicate that the plugin received an HTTP 401 error from PingAuthorize, which gets translated to a 5xx error sent to the API client. For example:

    2022/03/28 16:19:49 [warn] 78#0: *85187 [lua] network_handler.lua:145: is_failed_request(): [ping-auth] Sideband request denied with status code 401: The Gateway Token is invalid
    1. If there is a shared secret mismatch, go to Configuration → Web Services and Applications → Sideband API Shared Secrets in the PingAuthorize administrative console.

    2. Update the shared secret value for PingAuthorize.

    3. Copy the value to the Config.Shared Secret field in the Kong Gateway ping-auth plugin configuration.

  2. Check the ping-auth Config.Service URL value in Kong Gateway to confirm that it matches your PingAuthorize environment.

    Example:

    If the Config.Service URL value doesn’t contain the hostname and HTTPS Connection Handler port configured for your PingAuthorize server, the Kong error log message might indicate that the plugin received an invalid response from the server. For example:

    2022/03/28 16:19:49 [error] 78#0: *90929 [lua] access.lua:114: handle_response(): [ping-auth] Unable to parse JSON body returned from policy provider. Error: Expected value but found T_END at character 1
    1. If necessary, confirm that the values entered in the Config.Service Url field of the ping-auth plugin in Kong Gateway correspond to the hostname and HTTPS Connection Handler port of your PingAuthorize server.

      You can find this port number in the PingAuthorize administrative console by going to Configuration → System → Connection Handlers.

    2. Update any mismatched values in Config.Service Url.

API client HTTP 4xx errors

The API gateway could return 4xx errors to API clients in these situations:

  • PingAuthorize cannot match an API client’s request to any of the base paths configured for a sideband API endpoint.

  • The API client’s request cannot be authenticated for a sideband API endpoint.

For more information, see Diagnostic and decision data.

Enabling error logging in Kong Gateway

Steps

  1. To view error log messages, configure Kong Gateway error logging.

    For more information on log levels, see the Kong Gateway Logging Reference documentation.

    Example:

    For example, in a Docker environment, you can set the environment variable KONG_PROXY_ERROR_LOG to /dev/stderr to send the error log to the container console.

  2. View the Kong Gateway error log.

    Example:

    For example, in a Docker deployment, you can use the docker-compose logs kong --follow command.

Enabling debug logging for the Kong Gateway plugin

About this task

Ping Identity Support might ask you to enable debug logging for the Kong Gateway integration kit. Changing these settings logs the full authorization request and response between the ping-auth plugin in Kong Gateway and PingAuthorize.

This could log sensitive and personally identifiable information (PII). Enable debug logging only when troubleshooting and disable it afterward.

Steps

  1. Enable error logging in Kong Gateway.

  2. To view debug messages, configure Kong error log verbosity.

    For more information, see the Kong Gateway Logging Reference documentation.

    Example:

    For example, in a Docker environment, you can set the environment variable KONG_LOG_LEVEL to debug to set the verbosity.

  3. To enable debug logging, edit settings for the ping-auth plugin and select the Config.Enable Debug Logging check box.

  4. View the Kong Gateway error log.

    Example:

    For example, when depoloying Docker, you can use the docker-compose logs kong --follow command.

  5. Look for messages containing ping-auth.

    Example:

    A typical log message looks like: [ping-auth] Sending sideband request to policy provider.