Instead of managing access control directly in Kong Gateway, you'll use an API service in PingOne to manage access control rules. PingOne, working with the authorization plugin, uses OAuth best practices to simplify management of API access control across these distributed systems.

You’ll define the Meme Game API in PingOne so that PingOne recognizes requests for this API and instructs Kong Gateway to protect access from unauthorized clients and allow access only from authorized clients.

  1. In PingOne, go to Authorization > API Services.
  2. Click the + icon next to API Services to add an API service.
  3. For the service Name, enter Meme Game.
  4. For Base URLs, enter https://localhost:8443/meme-game.

    If you’re not running on localhost, use your docker-machine name in the URL instead of localhost. If you customized the ports, use the port for your environment instead of the default.

    Screen capture of the New API Service window showing the Name, Base URLs, and Decision Endpoint fields, and the directory and token source.
  5. For the directory and token source, select PingOne SSO, if it is not already selected.

    This default option enables PingOne to manage user directory services and access token validation for the API service.


    After you save the API service, you can't change this setting. If you want to switch to using external directory services, you must add a new API service configured with the External Services setting.

  6. For the PingOne Resource, keep the default option to automatically create a PingOne resource.

    The resource establishes a relationship between the API service and PingOne in order to manage access token configuration. Resources created automatically will have the same name as the API service.

  7. Select the Enable Custom Policies check box.

    This will generate a policy tree for the API service, enabling you to create your own fine-grained authorization policies for the APIs managed by this API service. You’ll add a custom policy in a later tutorial.


    After you save the API service, you can't change this setting.

  8. Click Save.

    A corresponding Meme Game resource is successfully created.

  9. To deploy the API service, click Deploy.

    This creates a system-owned decision endpoint dedicated to the API service. This decision endpoint has the same name as the API service. Future deployments will publish any updates to the policy tree. PingOne is now configured to recognize the Meme Game API. Keep the API service open in PingOne. You’ll need it in the next task.

    Try the Postman request again to see if your banking application can get memes.

  10. In Postman, select the Get all memes by user.0 request and click Send.

    You get a 401 Unauthorized error this time. That’s because the access token is for your banking service, not the Meme Game.

    Not getting the right results? See Viewing API Access Management events in your PingOne environment audit log.

Access to the Meme Game through Kong Gateway is now protected by PingOne, so unauthorized clients can’t access the game.

Create an application in PingOne that can access the Meme Game.