Instead of managing access control directly in Kong Gateway, you'll use an API service in PingOne to manage access control rules. PingOne, working with the authorization plugin, uses the best practices of OAuth and OIDC to make it simple for you to manage API access control across these distributed systems.

You’ll define the Meme Game API in PingOne so PingOne recognizes requests for this API and instructs Kong Gateway to protect access from unauthorized clients and allow access only from authorized clients.

  1. In PingOne, go to Authorize > API Services.
  2. Click the + icon next to API Services to add an API service.
  3. For the service Name, enter Meme Game.
  4. For Base URLs, enter the following URL:

    If you’re not running on localhost, use your docker-machine name in the URL instead of localhost. If you customized the ports, use the port for your environment instead of the default.

    Screen capture of the New API Service window showing the Name, Base URLs, and Decision Endpoint fields, and the directory and token source.
  5. For the Decision Endpoint, select the DEV endpoint.

    The decision endpoint determines where custom policies for this API service, and for any custom operations under this API service, will be published. You’ll use this in a later tutorial.

  6. For the directory and token source, click PingOne SSO, if it is not already selected.

    This default option enables PingOne to manage user directory services and access token validation for the API service.


    After you save the API service, you can't change this setting. To switch to using external directory services, you would have to add a new API service configured with the External Services setting.

  7. Click Save.
  8. When the corresponding resource is successfully created, click Done.

    PingOne is configured to recognize the Meme Game API. Keep the API service open in PingOne. You’ll need it in the next task.

    Try the Postman request again to see if your banking application can get memes.

  9. In Postman, select the Get all memes by user.0 request and click Send.

    You get a 401 Unauthorized error this time. That’s because the access token is for your banking service, not the Meme Game.

    Not getting the right results? See Viewing API Access Management events in your PingOne environment audit log.

Access to the Meme Game through Kong Gateway is now protected by PingOne, so unauthorized clients can’t access the game.

Create an application in PingOne that can access the Meme Game.