Troubleshooting Kong Gateway integration with PingOne Authorize
The following resources can help you solve issues with the Kong Gateway integration for PingOne Authorize.
Solutions
API client HTTP 5xx errors
- Likely cause
-
Kong Gateway might return
HTTP 502
when there is misconfiguration or miscommunication between the Ping Identity plugin for Kong Gateway and the HTTP Access Policy Service in PingOne Authorize. - How to troubleshoot
-
The plugin for Kong Gateway logs warning messages to the Kong Gateway error log when it encounters problems communicating with PingOne Authorize. For more information, see Troubleshooting resources.
- Details
-
If the shared secret value doesn’t match the API Gateway credential in PingOne Authorize, the Kong error log message might indicate that the plugin received an
HTTP 401
error from PingOne Authorize, which is translated to a 5xx error sent to the API client. For example:2022/03/28 16:19:49 [warn] 78#0: *85187 [lua] network_handler.lua:145: is_failed_request(): [ping-auth] Sideband request denied with status code 401: The Gateway Token is invalid
If the service URL value doesn’t match the service URL in PingOne Authorize, the Kong error log message might indicate that the plugin received an invalid response from the server. For example:
2022/03/28 16:19:49 [error] 78#0: *90929 [lua] access.lua:114: handle_response(): [ping-auth] Unable to parse JSON body returned from policy provider. Error: Expected value but found T_END at character 1
If the request body exceeds Kong’s default buffer size limit of 8 KB, the Kong error log message might indicate that the plugin received an invalid response from the upstream server. For example:
"code" : "Bad Request", "message" : "Missing expected request body."
- How to fix
-
Check the settings for Shared Secret and Service URL to ensure that they match your PingOne Authorize environment. If necessary, go to Authorization > API Gateways and generate a new credential, then copy the value to the shared secret setting in the Kong Gateway plugin configuration.
If the request body is missing, check the
nginx_http_client_body_buffer_size
setting inkong.conf
and increase its value to accommodate your maximum expected request body size. Learn more in nginx_http_client_body_buffer_size.
API client HTTP 4xx errors
- Likely causes
-
The API gateway might return 4xx errors to API clients in these situations:
-
PingOne cannot match an API client’s request to any of the Base URLs configured for an API service.
-
The API client’s request cannot be authenticated or doesn’t satisfy basic access control checks for an API service.
-
The API client’s request doesn’t satisfy access control rules configured for the API service or its API Operations in PingOne Authorize.
-
- How to troubleshoot
-
For more information, see Viewing API Access Management events in your PingOne environment audit log.
Troubleshooting resources
Enabling error logging in Kong Gateway
-
To view error log messages, configure Kong error logging.
For more information, see the Kong Gateway Logging Reference documentation.
For example, in a Docker environment, you can use the environment variable
KONG_PROXY_ERROR_LOG=/dev/stderr
to send the error log to the container console. This is the default setting in the API Access Management tutorials environment. -
View the Kong Gateway error log.
For example, in Docker:
docker-compose logs kong --follow
Enabling debug logging for the Kong Gateway plugin
Ping Identity Support might ask you to enable debug logging for the Kong Gateway integration kit. Changing these settings logs the full authorization request and response between the plugin in Kong Gateway and PingOne Authorize.
This could log sensitive and personally identifiable information (PII). Enable debug logging only when troubleshooting and disable it afterward. |
-
Enable error logging in Kong Gateway. See step 1 in Enabling error logging in Kong Gateway.
-
To view debug messages, configure Kong error log verbosity.
For more information, see the Kong Gateway Logging Reference documentation.
For example, in a Docker environment, you can use the environment variable
KONG_LOG_LEVEL=debug
to set the verbosity. -
To enable debug logging, edit settings for the
ping-auth
plugin and select the Config.Enable Debug Logging check box. -
View the Kong Gateway error log.
For example, in Docker:
docker-compose logs kong --follow
-
Look for messages that contain
ping-auth
.For example:
[ping-auth] Sending sideband request to policy provider