Tutorial 1: Controlling access to APIs managed by an API service

Learn how to set up API Access Management in PingOne Authorize to provide protection and access control for APIs managed by an API service.

Imagine you’re the publisher of Meme Game, an online game in which players compete with their friends to craft the funniest meme. You need to protect the APIs that compose the game so that only your browser-based client or mobile game client can access the APIs and other clients don’t have access.

To do this, you’ll configure applications and access control rules in PingOne and an authorization plugin for Kong Gateway. The plugin works with PingOne to handle the complexities of the OAuth and OpenID Connect protocols, making it easier for you to manage API access control across these systems.

What you’ll learn

You’ll learn how to:

Configure the authorization plugin for Kong Gateway to connect the gateway to PingOne
Create applications and managed API services in PingOne
Configure which applications are authorized to connect to managed API services
Demonstrate that only authorized clients are able to access the Meme Game APIs

What you’ll do

Follow these steps to complete the tutorial:

Set up your tutorial environment. The environment includes Kong Gateway configured to proxy REST API requests to the Meme Game API.
Configure an application that doesn’t have access to the Meme Game API and get an access token for the application.
Configure the authorization plugin for Kong Gateway.
Define a managed API service so that PingOne can help the API gateway enforce access control.
Set up another application that has access to the Meme Game API.