Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
3.0.x
  • Home icon
  • Kong Gateway
  • Kong Enterprise
  • Dev Portal
  • Applications
  • Authorization Provider Strategy for Application Registration
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.4.x (latest)
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Supported Authentication Plugins
  • Authorization provider strategy configuration for Application Registration
    • Set external portal authentication
  • Next Steps
You are browsing documentation for an outdated version. See the latest documentation here.

Authorization Provider Strategy for Application Registration

Supported Authentication Plugins

OAuth2 plugins for use with the Application Registration plugin:

  • When Kong Gateway is the system of record, the Application Registration plugin works in conjunction with the OAuth2 or the Key Authentication plugin.

    Important: The OAuth2 plugin does not support hybrid mode. If your organization uses hybrid mode, you must use an external identity provider and configure the OpenID Connect plugin.
  • When an external OAuth2 is the system of record, the Application Registration plugin works in conjunction with the OpenID Connect plugin.

The third-party authorization strategy (external-oauth2) applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.

Authorization provider strategy configuration for Application Registration

The portal_app_auth configuration option must be set in kong.conf to enable the Dev Portal Application Registration plugin with your chosen authorization strategy. The default setting (kong-oauth2) accommodates the OAuth2 or Key Authentication plugins.

Available options:

  • kong-oauth2: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin. The kong-oauth2 option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every gateway instance, the kong-oauth2 option cannot be used with hybrid mode deployments.
  • external-oauth2: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OIDC plugin. The external-oauth2 option can be used with any deployment type. The external-oauth2 option must be used with hybrid mode deployments because hybrid mode does not support kong-oauth2.

Set external portal authentication

If you are using an external IdP, follow these steps.

  1. Open kong.conf.default and set the portal_app_auth option to your chosen strategy. The example configuration below switches from the default (kong-oauth2) to an external IdP (external-oauth2).

    portal_app_auth = external-oauth2
             # Dev Portal application registration
             # auth provider and strategy. Must be set to configure
             # authentication in conjunction with the application_registration plugin.
             # Currently accepts kong-oauth2 or external-oauth2.
    
  2. Restart your Kong Gateway instance.

Next Steps

  1. Enable the Application Registration plugin on a Service.

  2. Enable a supported authentication plugin on the same Service as the Application Registration plugin, as appropriate for your authorization strategy.

    Strategy kong-oauth2:

    • If using the kong-oauth2 authorization strategy with the OAuth2 plugin, configure the OAuth2 plugin on the same Service as the Application Registration plugin. You can use either the Kong Manager GUI or cURL commands as documented on the Plugin Hub. The OAuth2 plugin cannot be used in hybrid mode.
    • If using the kong-oauth2 authorization strategy with key authentication, configure the Key Auth plugin on the same Service as the Application Registration plugin. You can use the Kong Manager GUI or cURL commands as documented on the Plugin Hub.

    Strategy external-oauth2:

    1. If you plan to use external OAuth2, review the recommended workflows.

    2. If using the third-party authorization strategy (external-oauth2), configure the OIDC plugin on the same Service as the Application Registration plugin. You can use the Kong Manager GUI or cURL commands as documented on the Plugin Hub. When your deployment is hybrid mode, the OIDC plugin must be configured to handle authentication for the Portal Application Registration plugin.

    3. Configure the identity provider for your application, configure your application in Kong Gateway, and associate them with each other. See the Okta or the Azure setup examples.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023