Ping Identity provides a Kong Gateway integration that enables PingAccess (and other Ping Identity products) to be used for policy decisions.
Integration with Kong Gateway allows PingAccess to handle the complexities of the OAuth and OpenID Connect (OIDC) protocols, making it easier to manage access control in your API. Rather than making access control configurations repeatedly, install and configure the Kong plugin once and manage your access control rules in PingAccess.
The following diagram explains how the traffic flow through Kong Gateway and PingAccess works.
- The HTTP client sends an inbound request to the API gateway.
- The API gateway sends a sideband request to PingAccess.
- PingAccess evaluates the request and sends a response to the API gateway.
- The API gateway will analyze the response from PingAccess to determine if the request should be allowed to the API, and if so, if there should be any modification to the request. Should the request be denied, then PingAccess will include directives to influence how the API gateway responds to the HTTP Client.
- The API sends an outbound response to the API gateway.
- The API gateway passes the response to PingAccess for processing.
- PingAccess sends a response to the API gateway.
- The API gateway processes the response from PingAccess. This will include directives for how to modify the response to the HTTP client if any modifications should be made.
The following are important usage notes for anyone trying to use the Kong plugin:
- Mutual TLS (mTLS)
- This plugin supports client certificate authentication using mTLS, however
this feature requires using the
mtls-auth
plugin (only available in the Enterprise edition of Kong) in conjunction withping-auth
. For more information, see the Kong mTLS-auth documentation. When configured, this plugin uses the mTLS process to retrieve the client certificate, which allowsping-auth
to provide the certificate in theclient_certificate
field of the sideband requests. - Transfer-encoding
- Because of an outstanding defect in Kong,
ping-auth
is unable to support theTransfer-Encoding
header, regardless of the value. - Logging limit
- Because of OpenResty's log level limit, log messages are limited to 2048 bytes by default, which is less than the size of many requests and responses. For more information, see the OpenResty reference documentation.
- HTTP/2
- The Kong Gateway does not support HTTP/2.
Setting up Kong Gateway
Download, install, and configure the ping-auth
plugin to set up the
Kong Gateway with PingAccess.
- Install and start Kong Gateway. For more information, see the Kong Gateway documentation.
- Install and start PingAccess. For more information, see Installing and Uninstalling PingAccess.
- Verify that the
sideband.http.enabled
property is set totrue
in the configuration file. See the Configuration file reference for more information.
To configure the ping-auth
plugin in Kong to set up a connection between
PingAccess and Kong
Gateway:
Setting up Kong Gateway using the API
- Install and start Kong Gateway. For more information, see the Kong Gateway documentation.
- Install and start PingAccess. For more information, see Installing and Uninstalling PingAccess.
To configure the ping-auth
plugin in Kong to set up a connection
between PingAccess and Kong
Gateway:
Creating an API application
To verify the connection by making an end-to-end request: