PingAccess

Kong API Gateway Integration

Ping Identity provides a Kong Gateway integration that enables the use of PingAccess and other Ping Identity products for policy decisions.

Integration with Kong Gateway allows PingAccess to handle the complexities of the OAuth and OpenID Connect (OIDC) protocols, making it easier to manage access control in your API. Instead of making access control configurations repeatedly, install and configure the Kong plugin once and manage your access control rules in PingAccess.

The following diagram explains how traffic flows through Kong Gateway and PingAccess.

Workflow diagram illustrating the API flow process from the HTTP client inbound request to the API gateway through the API gateway outbound response to the HTTP client.

  1. The HTTP client sends an inbound request to the API gateway.

  2. The API gateway sends a sideband request to PingAccess.

  3. PingAccess evaluates the request and sends a response to the API gateway.

  4. The API gateway analyzes the response from PingAccess to determine whether the request should be forwarded to the API and, if so, whether any modifications should be made to the request.

    If the request is denied, PingAccess includes directives to influence how the API gateway responds to the HTTP Client.

  5. The API sends an outbound response to the API gateway.

  6. The API gateway passes the response to PingAccess for processing.

  7. PingAccess sends a response to the API gateway.

  8. The API gateway processes the response from PingAccess.

    If modifications should be made, the response to the HTTP client includes directives for modifying the response.

Review the following usage considerations before setting up the Kong plugin:

Mutual TLS (mTLS)

This plugin supports client certificate authentication using mTLS. However, this feature requires using the mtls-auth plugin (only available in the Enterprise edition of Kong) in conjunction with ping-auth. Learn more in the Kong mTLS-auth documentation.

When configured, the mtls-auth plugin uses the mTLS process to retrieve the client certificate, which allows ping-auth to provide the certificate in the client_certificate field of the sideband requests.

Transfer-encoding

Because of an outstanding defect in Kong, ping-auth is unable to support the Transfer-Encoding header, regardless of the value.

Logging limit

Because of OpenResty’s log level limit, log messages are limited to 2048 bytes by default, which is less than the size of many requests and responses. Learn more in the OpenResty reference documentation.

HTTP/2

The Kong Gateway integration does not support HTTP/2.

To set up the Kong Gateway integration:

  1. Configure a sideband client in PingAccess to create a shared secret for Kong Gateway.

  2. Configure the ping-auth plugin in Kong Manager.

  3. Create a PingAccess application for the protected API and verify the connection between PingAccess and Kong Gateway.