--- title: Troubleshooting Kong Gateway integration with PingOne Authorize description: The following resources can help you solve issues with the Kong Gateway integration for PingOne Authorize. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1az_troubleshooting_kong_integration canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_troubleshooting_kong_integration.html revdate: July 3, 2024 section_ids: solutions: Solutions api-client-http-5xx-errors: API client HTTP 5xx errors api-client-http-4xx-errors: API client HTTP 4xx errors section_dpw_v3p_ftb: Troubleshooting resources enabling_error_logging_in_kong_gateway: Enabling error logging in Kong Gateway enabling-debug-logging-for-the-kong-gateway-plugin: Enabling debug logging for the Kong Gateway plugin --- # Troubleshooting Kong Gateway integration with PingOne Authorize The following resources can help you solve issues with the Kong Gateway integration for PingOne Authorize. ## Solutions ### API client HTTP 5xx errors * Likely cause Kong Gateway might return `HTTP 502` when there is misconfiguration or miscommunication between the Ping Identity plugin for Kong Gateway and the HTTP Access Policy Service in PingOne Authorize. * How to troubleshoot The plugin for Kong Gateway logs warning messages to the Kong Gateway error log when it encounters problems communicating with PingOne Authorize. For more information, see [Troubleshooting resources](#section_dpw_v3p_ftb). * Details If the shared secret value doesn't match the API gateway credential in PingOne Authorize, the Kong error log message might indicate that the plugin received an `HTTP 401` error from PingOne Authorize, which is translated to a 5xx error sent to the API client. For example: ``` 2022/03/28 16:19:49 [warn] 78#0: *85187 [lua] network_handler.lua:145: is_failed_request(): [ping-auth] Sideband request denied with status code 401: The Gateway Token is invalid ``` If the service URL value doesn't match the service URL in PingOne Authorize, the Kong error log message might indicate that the plugin received an invalid response from the server. For example: ``` 2022/03/28 16:19:49 [error] 78#0: *90929 [lua] access.lua:114: handle_response(): [ping-auth] Unable to parse JSON body returned from policy provider. Error: Expected value but found T_END at character 1 ``` If the request body exceeds Kong's default buffer size limit of 8 KB, the Kong error log message might indicate that the plugin received an invalid response from the upstream server. For example: ``` "code" : "Bad Request", "message" : "Missing expected request body." ``` * How to fix Check the settings for **Shared Secret** and **Service URL** to ensure that they match your PingOne Authorize environment. If necessary, go to **Authorization > API Gateways** and generate a new credential, then copy the value to the shared secret setting in the Kong Gateway plugin configuration. If the request body is missing, check the `nginx_http_client_body_buffer_size` setting in `kong.conf` and increase its value to accommodate your maximum expected request body size. Learn more in [nginx\_http\_client\_body\_buffer\_size](https://docs.konghq.com/gateway/latest/reference/configuration/#nginx_http_client_body_buffer_size). ### API client HTTP 4xx errors * Likely causes The API gateway might return 4xx errors to API clients in these situations: * PingOne cannot match an API client's request to any of the Base URLs configured for an API service. * The API client's request cannot be authenticated or doesn't satisfy basic access control checks for an API service. * The API client's request doesn't satisfy access control rules configured for the API service or its API Operations in PingOne Authorize. * How to troubleshoot Learn more about troubleshooting in [Viewing API Access Management events in your PingOne environment audit log](p1az_aam_troubleshooting_api_access_management.html#trouble-audit-log). ## Troubleshooting resources ### Enabling error logging in Kong Gateway 1. To view error log messages, configure Kong error logging. For more information, see the Kong Gateway [Logging Reference](https://docs.konghq.com/gateway/2.8.x/configure/logging/) documentation. For example, in a Docker environment, you can use the environment variable `KONG_PROXY_ERROR_LOG=/dev/stderr` to send the error log to the container console. This is the default setting in the [API Access Management tutorials](p1az_aam_tutorial_manage_api_access.html) environment. 2. View the Kong Gateway error log. For example, in Docker: ```shell docker-compose logs kong --follow ``` ### Enabling debug logging for the Kong Gateway plugin Ping Identity Support might ask you to enable debug logging for the Kong Gateway integration kit. Changing these settings logs the full authorization request and response between the plugin in Kong Gateway and PingOne Authorize. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | This could log sensitive and personally identifiable information (PII). Enable debug logging only when troubleshooting and disable it afterward. | 1. Enable error logging in Kong Gateway. See step 1 in [Enabling error logging in Kong Gateway](#enabling_error_logging_in_kong_gateway). 2. To view debug messages, configure Kong error log verbosity. For more information, see the Kong Gateway [Logging Reference](https://docs.konghq.com/gateway/2.8.x/configure/logging/) documentation. For example, in a Docker environment, you can use the environment variable `KONG_LOG_LEVEL=debug` to set the verbosity. 3. To enable debug logging, edit settings for the `ping-auth` plugin and select the **Config.Enable Debug Logging** check box. 4. View the Kong Gateway error log. For example, in Docker: ```shell docker-compose logs kong --follow ``` 5. Look for messages that contain `ping-auth`. For example: ``` [ping-auth] Sending sideband request to policy provider ```