PermalinkAuthorization Provider Strategy for Application Registration
PermalinkOverview
In the 1.5.x beta version of the Application Registration plugin, the feature was tightly coupled with OAuth2. Kong was the only available system of record (SoR) for application credentials and the OAuth configuration was done directly within the Application Registration plugin.
In the Kong Gateway 2.1.x version, authentication has been decoupled from the Application Registration plugin. Support has been added for third-party OAuth2 providers. Developers have the flexibility to choose from either Kong or a third-party identity provider (IdP) as the system of record for application credentials. With third-party (external) OAuth2 support, developers can centralize application credential management with the supported identity provider of their choice.
OAuth2 plugins for use with the Application Registration plugin:
-
When Kong is the system of record, the Application Registration plugin works in conjunction with the Kong OAuth2 plugin.
Important: The Kong OAuth2 plugin does not support hybrid mode. If your organization uses hybrid mode, you must use an external identity provider and configure the Kong OIDC plugin. -
When an external OAuth2 is the system of record, the Application Registration plugin works in conjunction with the Kong OIDC plugin.
The third-party authorization strategy (external-oauth2
) applies to all
applications across all Workspaces (Dev Portals) in a Kong cluster.
PermalinkConfigure an auth provider strategy for Application Registration
The portal_app_auth
configuration option must be set in kong.conf
to enable
the Developer Portal Application Registration plugin with your chosen
authorization strategy.
Available options:
kong-oauth2
: Default. Kong is the system of record. The Application Registration plugin is used in conjunction with the Kong OAuth2 plugin. Thekong-oauth2
option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every Kong instance, thekong-oauth2
option cannot be used with hybrid mode deployments.external-oauth2
: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the Kong OIDC plugin. Theexternal-oauth2
option can be used with any deployment type. Theexternal-oauth2
option must be used with hybrid mode deployments because hybrid mode does not supportkong-oauth2
.
-
Open
kong.conf.default
and set theportal_app_auth
option to your chosen strategy. The example configuration below switches from the default (kong-oauth2
) to an external IdP (external-oauth2
).portal_app_auth = external-oauth2 # Developer Portal application registration # auth provider and strategy. Must be set to configure # authentication in conjunction with the application_registration plugin. # Currently accepts kong-oauth2 or external-oauth2.
-
Restart your Kong Enterprise instance.
PermalinkNext steps
- If you plan to use external OAuth2, review the recommended workflows. Configure the identity provider for your application, configure your application in Kong, and associate them with each other. See the Okta, or the Azure setup examples.
- Enable the Application Registration plugin on a Service.
- Depending on your configured authentication strategy, configure the Kong OAuth2 or Kong OIDC plugin on the same Service as the Application Registration plugin.