Integration with Kong Gateway allows PingAccess to handle the complexities of the OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. and OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. protocols, making it easier to manage access control in your APIapplication programming interface (API) A specification of interactions available for building software to access an application or service.. Rather than making access control configurations repeatedly, install and configure the Kong plugin once and manage your access control rules in PingAccess.

The following diagram explains how the traffic flow through Kong Gateway and PingAccess works.

Produced by OmniGraffle 7.18.6\n2022-03-25 17:58:44 +0000 Half Page Layer 1 Users Connect 3 Cloud API Access Security HTTP Client API Gateway API PingAccess 1 2 3 4 5 7 6 8
  1. The HTTP client sends an inbound request to the API gateway.
  2. The API gateway sends a sideband request to PingAccess.
  3. PingAccess evaluates the request and sends a response to the API gateway.
  4. The API gateway will analyze the response from PingAccess to determine if the request should be allowed to the API, and if so, if there should be any modification to the request. Should the request be denied, then PingAccess will include directives to influence how the API gateway responds to the HTTP Client.
  5. The API sends an outbound response to the API gateway.
  6. The API gateway passes the response to PingAccess for processing.
  7. PingAccess sends a response to the API gateway.
  8. The API gateway processes the response from PingAccess. This will include directives for how to modify the response to the HTTP client if any modifications should be made.

The following are important usage notes for anyone trying to use the Kong plugin:

Mutual TLS (mTLS)
This plugin supports client certificate authentication using mTLS, however this feature requires using the mtls-auth plugin (only available in the Enterprise edition of Kong) in conjunction with ping-auth. For more information, see the Kong mTLS-auth documentation. When configured, this plugin uses the mTLS process to retrieve the client certificate, which allows ping-auth to provide the certificate in the client_certificate field of the sideband requests.
Because of an outstanding defect in Kong, ping-auth is unable to support the Transfer-Encoding header, regardless of the value.
Logging limit
Because of OpenResty's log level limit, log messages are limited to 2048 bytes by default, which is less than the size of many requests and responses. For more information, see the OpenResty reference documentation.
The Kong Gateway does not support HTTP/2.