Authorization Provider Strategy for Application Registration
In the 1.5.x beta version of the Application
Registration plugin, the feature was tightly coupled with OAuth2. Kong was the
only available system of record (SoR) for application credentials and the OAuth
configuration was done directly within the Application Registration plugin.
In the Kong Gateway (Enterprise) 2.1.x version, authentication was decoupled from the
Application Registration plugin. Support has been added for third-party OAuth2
providers. Developers have the flexibility to choose from either
Kong or a third-party identity provider (IdP) as the system of record for
application credentials. With third-party (external) OAuth2 support, developers
can centralize application credential management with the
supported identity provider
of their choice.
In the Kong Gateway (Enterprise) 2.2.1.x version and later, support has been added
for the Key Authentication plugin to use with Kong as the system of record.
Supported Authentication Plugins
OAuth2 plugins for use with the Application Registration plugin:
When Kong Gateway is the system of record, the Application Registration plugin works
in conjunction with the OAuth2 or the Key Authentication plugin.
Important: The OAuth2 plugin does not support
hybrid mode. Since the Key Authentication plugin is using the `kong-oauth2` strategy
and client ID credential, hybrid mode is also not supported for the Key
Authentication plugin. If your organization uses hybrid mode, you must use an external identity
provider and configure the OpenID Connect plugin.
When an external OAuth2 is the system of record, the Application Registration
plugin works in conjunction with the OpenID Connect plugin.
The third-party authorization strategy (
external-oauth2) applies to all
applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.
Authorization provider strategy configuration for Application Registration
portal_app_auth configuration option must be set in
kong.conf to enable
the Dev Portal Application Registration plugin with your chosen
authorization strategy. The default setting (
kong-oauth2) accommodates the
OAuth2 or Key Authentication plugins.
kong-oauth2: Default. Kong Gateway is the system of record. The Application
Registration plugin is used in conjunction with the OAuth2 or
Key Authentication plugin. The
kong-oauth2 option can only be used with
classic (traditional) deployments. Because the OAuth2 plugin requires a database
for every gateway instance, the
kong-oauth2 option cannot be used with hybrid mode
external-oauth2: An external IdP is the system of record. The
Portal Application Registration plugin is used in conjunction with the
OIDC plugin. The
external-oauth2 option can be used with any deployment type.
external-oauth2 option must be used with
deployments because hybrid mode does not support
Set external portal authentication
If you are using an external IdP, follow these steps.
kong.conf.default and set the
portal_app_auth option to your chosen
strategy. The example configuration below switches from the default
kong-oauth2) to an external IdP (
portal_app_auth = external-oauth2
# Dev Portal application registration
# auth provider and strategy. Must be set to configure
# authentication in conjunction with the application_registration plugin.
# Currently accepts kong-oauth2 or external-oauth2.
Restart your Kong Enterprise
Enable the Application Registration plugin on a Service.
Enable a supported authentication plugin on the same Service as the Application Registration plugin,
as appropriate for your authorization strategy.
- If using the
kong-oauth2 authorization strategy with the OAuth2 plugin, configure the
OAuth2 plugin on the same Service as the Application Registration plugin.
You can use either the Kong Manager GUI or cURL commands as documented on the Plugin Hub.
The OAuth2 plugin cannot be used in hybrid mode.
- If using the
kong-oauth2 authorization strategy with key authentication, configure the
Key Auth plugin on the same Service as the Application
Registration plugin. You can use either the
Kong Manager GUI
or cURL commands as documented on the Plugin Hub. The Key Auth plugin
cannot be used in hybrid mode.
If you plan to use external OAuth2, review the
If using the third-party authorization strategy
external-oauth2), configure the OIDC plugin on the same Service as the
Application Registration plugin. You can use the Kong Manager GUI
or cURL commands as documented on the Plugin Hub.
When your deployment is hybrid mode, the OIDC plugin must be configured to handle
authentication for the Portal Application Registration plugin.
Configure the identity provider for your application, configure your
application in Kong Gateway, and associate them with each other. See the
or the Azure setup examples.