Skip to content
Kong Summit 2022: Where API Innovation Runs Wild  —Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Konnect Cloud
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Kong Konnect Platform

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Request Demo
  • Kong Gateway
  • Konnect Cloud
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Kong Konnect Platform

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (0.31-2.5)
  • Older OSS versions (0.13-2.5)
  • Archive (pre-0.13)
    • Overview of Kong Gateway
    • Version Support Policy
    • Changelog
    • Overview
    • Kubernetes
    • Helm
    • OpenShift with Helm
    • Docker
    • Amazon Linux
    • CentOS
    • macOS
    • Debian
    • RHEL
    • Ubuntu
    • Migrating from OSS to EE
    • Upgrade Kong Gateway
    • Upgrade Kong Gateway OSS
      • Configuring a Service
      • Configuring a gRPC Service
      • Enabling Plugins
      • Adding Consumers
      • Prepare to Administer
      • Expose your Services
      • Protect your Services
      • Improve Performance
      • Secure Services
      • Set Up Intelligent Load Balancing
      • Manage Administrative Teams
      • Publish, Locate, and Consume Services
    • Running Kong as a Non-Root User
    • Resource Sizing Guidelines
      • Deploy Kong Gateway in Hybrid Mode
    • Kubernetes Deployment Options
    • Control Kong Gateway through systemd
    • Performance Testing Framework
    • DNS Considerations
    • Default Ports
      • Access Your License
      • Deploy Your License
      • Monitor License Usage
      • Start Kong Gateway Securely
      • Keyring and Data Encryption
      • Kong Security Update Process
        • Getting Started
        • Advanced Usage
          • Environment Variables
          • AWS Secrets Manager
          • Hashicorp Vault
        • Reference Format
      • Authentication Reference
        • OpenID Connect with Curity
        • OpenID Connect with Azure AD
        • OpenID Connect with Google
        • OpenID Connect with Okta
        • OpenID Connect with Auth0
        • OpenID Connect with Cognito
        • OpenID Connect Plugin Reference
      • Allowing Multiple Authentication Methods
        • Create a Super Admin
        • Configure Networking
        • Configure Kong Manager to Send Email
        • Reset Passwords and RBAC Tokens
        • Configure Workspaces
        • Basic Auth
        • LDAP
        • OIDC
        • Sessions
        • Add a Role
        • Add a User
        • Add an Admin
      • Mapping LDAP Service Directory Groups to Kong Roles
    • Configure gRPC Plugins
    • GraphQL Quickstart
    • Logging Reference
    • Network and Firewall
    • Overview
    • Enable the Dev Portal
    • Structure and File Types
    • Portal API
    • Working with Templates
    • Using the Editor
        • Basic Auth
        • Key Auth
        • OIDC
        • Sessions
        • Adding Custom Registration Fields
      • SMTP
      • Workspaces
      • Manage Developers
      • Developer Roles and Content Permissions
        • Authorization Provider Strategy
        • Enable Application Registration
        • Enable Key Authentication for Application Registration
        • External OAuth2 Support
        • Set up Okta and Kong for external OAuth
        • Set Up Azure AD and Kong for External Authentication
        • Manage Applications
      • Easy Theme Editing
      • Migrating Templates Between Workspaces
      • Markdown Rendering Module
      • Customizing Portal Emails
      • Adding and Using JavaScript Assets
      • Single Page App in Dev Portal
      • Alternate OpenAPI Renderer
    • Helpers CLI
      • Metrics
      • Reports
      • Vitals with InfluxDB
      • Vitals with Prometheus
      • Estimate Vitals Storage in PostgreSQL
    • Prometheus plugin
    • Zipkin plugin
      • DB-less Mode
      • Declarative Configuration
      • Supported Content Types
      • Information Routes
      • Health Routes
      • Tags
      • Service Object
      • Route Object
      • Consumer Object
      • Plugin Object
      • Certificate Object
      • CA Certificate Object
      • SNI Object
      • Upstream Object
      • Target Object
      • Vaults Beta
        • Licenses Reference
        • Licenses Examples
        • Workspaces Reference
        • Workspace Examples
        • RBAC Reference
        • RBAC Examples
        • API Reference
        • Examples
      • Developers
        • API Reference
        • Examples
        • Event Hooks Reference
        • Examples
      • Audit Logging
      • Keyring and Data Encryption
      • Securing the Admin API
    • DB-less and Declarative Configuration
    • Configuration Reference
    • CLI Reference
    • Load Balancing Reference
    • Proxy Reference
    • Rate Limiting Library
    • Health Checks and Circuit Breakers Reference
    • Clustering Reference
      • kong.client
      • kong.client.tls
      • kong.cluster
      • kong.ctx
      • kong.ip
      • kong.log
      • kong.nginx
      • kong.node
      • kong.request
      • kong.response
      • kong.router
      • kong.service
      • kong.service.request
      • kong.service.response
      • kong.table
      • kong.vault
      • Introduction
      • File structure
      • Implementing custom logic
      • Plugin configuration
      • Accessing the datastore
      • Storing custom entities
      • Caching custom entities
      • Extending the Admin API
      • Writing tests
      • (un)Installing your plugin
    • Plugins in Other Languages

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Supported Authentication Plugins
  • Authorization provider strategy configuration for Application Registration
    • Set external portal authentication
  • Next Steps
Kong Gateway
2.8.x (latest)
  • Home
  • Kong Gateway
  • Developer portal
  • Administration
  • Application registration

Authorization Provider Strategy for Application Registration

Supported Authentication Plugins

OAuth2 plugins for use with the Application Registration plugin:

  • When Kong Gateway is the system of record, the Application Registration plugin works in conjunction with the OAuth2 or the Key Authentication plugin.

    Important: The OAuth2 plugin does not support hybrid mode. Since the Key Authentication plugin is using the `kong-oauth2` strategy and client ID credential, hybrid mode is also not supported for the Key Authentication plugin. If your organization uses hybrid mode, you must use an external identity provider and configure the OpenID Connect plugin.
  • When an external OAuth2 is the system of record, the Application Registration plugin works in conjunction with the OpenID Connect plugin.

The third-party authorization strategy (external-oauth2) applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.

Authorization provider strategy configuration for Application Registration

The portal_app_auth configuration option must be set in kong.conf to enable the Dev Portal Application Registration plugin with your chosen authorization strategy. The default setting (kong-oauth2) accommodates the OAuth2 or Key Authentication plugins.

Available options:

  • kong-oauth2: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin. The kong-oauth2 option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every gateway instance, the kong-oauth2 option cannot be used with hybrid mode deployments.
  • external-oauth2: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OIDC plugin. The external-oauth2 option can be used with any deployment type. The external-oauth2 option must be used with hybrid mode deployments because hybrid mode does not support kong-oauth2.

Set external portal authentication

If you are using an external IdP, follow these steps.

  1. Open kong.conf.default and set the portal_app_auth option to your chosen strategy. The example configuration below switches from the default (kong-oauth2) to an external IdP (external-oauth2).

    portal_app_auth = external-oauth2
             # Dev Portal application registration
             # auth provider and strategy. Must be set to configure
             # authentication in conjunction with the application_registration plugin.
             # Currently accepts kong-oauth2 or external-oauth2.
    
  2. Restart your Kong Gateway instance.

Next Steps

  1. Enable the Application Registration plugin on a Service.

  2. Enable a supported authentication plugin on the same Service as the Application Registration plugin, as appropriate for your authorization strategy.

    Strategy kong-oauth2:

    • If using the kong-oauth2 authorization strategy with the OAuth2 plugin, configure the OAuth2 plugin on the same Service as the Application Registration plugin. You can use either the Kong Manager GUI or cURL commands as documented on the Plugin Hub. The OAuth2 plugin cannot be used in hybrid mode.
    • If using the kong-oauth2 authorization strategy with key authentication, configure the Key Auth plugin on the same Service as the Application Registration plugin. You can use either the Kong Manager GUI or cURL commands as documented on the Plugin Hub. The Key Auth plugin cannot be used in hybrid mode.

    Strategy external-oauth2:

    1. If you plan to use external OAuth2, review the recommended workflows.

    2. If using the third-party authorization strategy (external-oauth2), configure the OIDC plugin on the same Service as the Application Registration plugin. You can use the Kong Manager GUI or cURL commands as documented on the Plugin Hub. When your deployment is hybrid mode, the OIDC plugin must be configured to handle authentication for the Portal Application Registration plugin.

    3. Configure the identity provider for your application, configure your application in Kong Gateway, and associate them with each other. See the Okta or the Azure setup examples.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2022