Solutions

API client HTTP 5xx errors

Likely cause

Kong Gateway might return HTTP 502 when there is misconfiguration or miscommunication between the Ping Identity plugin for Kong Gateway and the HTTP Access Policy Service in PingOne Authorize.

How to troubleshoot

The plugin for Kong Gateway logs warning messages to the Kong Gateway error log when it encounters problems communicating with PingOne Authorize. For more information, see Enabling error logging in Kong Gateway.

Details

If the shared secret value doesn’t match the API Gateway credential in PingOne Authorize, the Kong error log message might indicate that the plugin received an HTTP 401 error from PingOne Authorize, which is translated to a 5xx error sent to the API client. For example:

2022/03/28 16:19:49 [warn] 78#0: *85187 [lua] network_handler.lua:145: is_failed_request(): [ping-auth] Sideband request denied with status code 401: The Gateway Token is invalid

If the service URL value doesn’t match the service URL in PingOne Authorize, the Kong error log message might indicate that the plugin received an invalid response from the server. For example:

2022/03/28 16:19:49 [error] 78#0: *90929 [lua] access.lua:114: handle_response(): [ping-auth] Unable to parse JSON body returned from policy provider. Error: Expected value but found T_END at character 1
How to fix

Check the settings for Shared Secret and Service URL to ensure that they match your PingOne Authorize environment. If necessary, go to Authorization > API Gateways and generate a new credential, then copy the value to the shared secret setting in the Kong Gateway plugin configuration.

API client HTTP 4xx errors

Likely causes

The API gateway might return 4xx errors to API clients in these situations:

  • PingOne cannot match an API client’s request to any of the Base URLs configured for an API service.
  • The API client’s request cannot be authenticated or doesn't satisfy basic access control checks for an API service.
  • The API client’s request doesn’t satisfy access control rules configured for the API service or its API Operations in PingOne Authorize.
How to troubleshoot

For more information, see Viewing API Access Management events in your PingOne environment audit log.

Troubleshooting resources

Enabling error logging in Kong Gateway

  1. To view error log messages, configure Kong error logging.

    For more information, see the Kong Gateway Logging Reference documentation.

    For example, in a Docker environment, you can use the environment variable KONG_PROXY_ERROR_LOG=/dev/stderr to send the error log to the container console. This is the default setting in the API Access Management tutorials environment.

  2. View the Kong Gateway error log.
    For example, in Docker:
    docker-compose logs kong --follow

Enabling debug logging for the Kong Gateway plugin

Ping Identity Support might ask you to enable debug logging for the Kong Gateway integration kit. Changing these settings logs the full authorization request and response between the plugin in Kong Gateway and PingOne Authorize.

Warning:

This could log sensitive and personally identifiable information (PII). Enable debug logging only when troubleshooting and disable it afterward.

  1. Enable error logging in Kong Gateway. See step 1 above.
  2. To view debug messages, configure Kong error log verbosity.

    For more information, see the Kong Gateway Logging Reference documentation.

    For example, in a Docker environment, you can use the environment variable KONG_LOG_LEVEL=debug to set the verbosity.

  3. To enable debug logging, edit settings for the ping-auth plugin and select the Config.Enable Debug Logging check box.
  4. View the Kong Gateway error log.
    For example, in Docker:
    docker-compose logs kong --follow
  5. Look for messages that contain ping-auth.
    For example:
    [ping-auth] Sending sideband request to policy provider