The following resources can help you solve issues with the Kong Gateway integration for PingOne Authorize.
Solutions
API client HTTP 5xx errors
- Likely cause
- Kong Gateway might return HTTP 502 when there is misconfiguration or miscommunication between the Ping Identity plugin for Kong Gateway and the HTTP Access Policy Service in PingOne Authorize.
- How to troubleshoot
- The plugin for Kong Gateway logs warning messages to the Kong Gateway error log when it encounters problems communicating with PingOne Authorize. For more information, see Enabling error logging in Kong Gateway.
- Details
- If the shared secret value doesn’t match the API Gateway credential in PingOne Authorize, the Kong error log message might indicate
that the plugin received an HTTP 401 error from
PingOne Authorize, which is translated to a 5xx error sent
to the API client. For
example:
2022/03/28 16:19:49 [warn] 78#0: *85187 [lua] network_handler.lua:145: is_failed_request(): [ping-auth] Sideband request denied with status code 401: The Gateway Token is invalid
If the service URL value doesn’t match the service URL in PingOne Authorize, the Kong error log message might indicate that the plugin received an invalid response from the server. For example:
2022/03/28 16:19:49 [error] 78#0: *90929 [lua] access.lua:114: handle_response(): [ping-auth] Unable to parse JSON body returned from policy provider. Error: Expected value but found T_END at character 1
If the request body exceeds Kong's default buffer size limit of 8 KB, the Kong error log message might indicate that the plugin received an invalid response from the upstream server. For example:
"code" : "Bad Request", "message" : "Missing expected request body."
- How to fix
- Check the settings for Shared Secret and Service
URL to ensure that they match your PingOne Authorize
environment. If necessary, go to and generate a new credential, then copy the
value to the shared secret setting in the Kong Gateway plugin
configuration.
If the request body is missing, check the nginx_http_client_body_buffer_size setting in kong.conf and increase its value to accommodate your maximum expected request body size. Learn more in nginx_http_client_body_buffer_size.
API client HTTP 4xx errors
- Likely causes
- The API gateway might return 4xx errors to API clients in these situations:
- PingOne cannot match an API client’s request to any of the Base URLs configured for an API service.
- The API client’s request cannot be authenticated or doesn't satisfy basic access control checks for an API service.
- The API client’s request doesn’t satisfy access control rules configured for the API service or its API Operations in PingOne Authorize.
- How to troubleshoot
- For more information, see Viewing API Access Management events in your PingOne environment audit log.
Troubleshooting resources
Enabling error logging in Kong Gateway
- To view error log messages, configure Kong error logging.
For more information, see the Kong Gateway Logging Reference documentation.
For example, in a Docker environment, you can use the environment variable KONG_PROXY_ERROR_LOG=/dev/stderr to send the error log to the container console. This is the default setting in the API Access Management tutorials environment.
- View the Kong Gateway error log.
For example, in Docker:
docker-compose logs kong --follow
Enabling debug logging for the Kong Gateway plugin
This could log sensitive and personally identifiable information (PII). Enable debug logging only when troubleshooting and disable it afterward.
- Enable error logging in Kong Gateway. See step 1 above.
- To view debug messages, configure Kong error log verbosity.
For more information, see the Kong Gateway Logging Reference documentation.
For example, in a Docker environment, you can use the environment variable KONG_LOG_LEVEL=debug to set the verbosity.
- To enable debug logging, edit settings for the
ping-auth
plugin and select the Config.Enable Debug Logging check box. - View the Kong Gateway error log.
For example, in Docker:
docker-compose logs kong --follow
- Look for messages that contain
ping-auth
.For example:
[ping-auth] Sending sideband request to policy provider