Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
Kong Gateway
2.8.x LTS
github-edit-pageEdit this page
report-issueReport an issue
You are browsing documentation for an older version. See the latest documentation here.

Authorization Provider Strategy for Application Registration

You can use Kong Gateway or an external system of record with the Application Registration plugin.

The portal_app_auth configuration option must be set in kong.conf to enable the Dev Portal Application Registration plugin with your chosen authorization strategy:

  • kong-oauth2: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin.

    Note: The OAuth2 plugin can only be used with traditional deployments. Because the OAuth2 plugin requires a database for every gateway instance, it can’t be used with hybrid mode or DB-less deployments.

  • external-oauth2: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OpenID Connect (OIDC) plugin. The external-oauth2 option can be used with any deployment type.

    The third-party authorization strategy (external-oauth2) applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.

Using the Kong Gateway auth strategy

If you’re using the default kong-oauth2 authorization strategy with Kong Gateway as the system of record, set up app registration using the following steps:

  1. Enable the Application Registration plugin on a service.

  2. Configure either the OAuth2 plugin or the Key Auth plugin on the same service as the Application Registration plugin.

    The OAuth2 plugin can’t be used in hybrid mode.

Setting external portal authentication

If you are using an external IdP (external-oauth2), follow these steps.

  1. Review and choose one of the recommended workflows.

  2. Open kong.conf.default and set the portal_app_auth option to your chosen strategy. The example configuration below switches from the default (kong-oauth2) to an external IdP (external-oauth2).

    portal_app_auth = external-oauth2
         # Dev Portal application registration
         # auth provider and strategy. Must be set to configure
         # authentication in conjunction with the application_registration plugin.
         # Currently accepts kong-oauth2 or external-oauth2.

  3. Restart your Kong Gateway instance.

    kong reload

  4. Enable the Application Registration plugin on a service.

  5. Configure the OIDC plugin on the same service as the Application Registration plugin.

  6. Configure the identity provider for your application, configure your application in Kong Gateway, and associate them with each other. See the Okta or the Azure setup examples.