You are browsing documentation for an outdated version. See the latest documentation here.
Authorization Provider Strategy for Application Registration
Supported Authentication Plugins
OAuth2 plugins for use with the Application Registration plugin:
When Kong Gateway is the system of record, the Application Registration plugin works in conjunction with the OAuth2 or the Key Authentication plugin.
Important: The OAuth2 plugin does not support hybrid mode. If your organization uses hybrid mode, you must use an external identity provider and configure the OpenID Connect plugin.
When an external OAuth2 is the system of record, the Application Registration plugin works in conjunction with the OpenID Connect plugin.
The third-party authorization strategy (external-oauth2
) applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.
Authorization provider strategy configuration for Application Registration
The portal_app_auth
configuration option must be set in kong.conf
to enable the Dev Portal Application Registration plugin with your chosen authorization strategy. The default setting (kong-oauth2
) accommodates the OAuth2 or Key Authentication plugins.
Available options:
kong-oauth2
: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin. Thekong-oauth2
option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every gateway instance, thekong-oauth2
option cannot be used with hybrid mode deployments.external-oauth2
: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OIDC plugin. Theexternal-oauth2
option can be used with any deployment type. Theexternal-oauth2
option must be used with hybrid mode deployments because hybrid mode does not supportkong-oauth2
.
Set external portal authentication
If you are using an external IdP, follow these steps.
Open
kong.conf.default
and set theportal_app_auth
option to your chosen strategy. The example configuration below switches from the default (kong-oauth2
) to an external IdP (external-oauth2
).portal_app_auth = external-oauth2
# Dev Portal application registration
# auth provider and strategy. Must be set to configure
# authentication in conjunction with the application_registration plugin.
# Currently accepts kong-oauth2 or external-oauth2.
Restart your Kong Gateway instance.
Next Steps
Enable the Application Registration plugin on a Service.
Enable a supported authentication plugin on the same Service as the Application Registration plugin, as appropriate for your authorization strategy.
Strategy
kong-oauth2
:- If using the
kong-oauth2
authorization strategy with the OAuth2 plugin, configure the OAuth2 plugin on the same Service as the Application Registration plugin. You can use either the Kong Manager GUI or cURL commands as documented on the Plugin Hub. The OAuth2 plugin cannot be used in hybrid mode. - If using the
kong-oauth2
authorization strategy with key authentication, configure the Key Auth plugin on the same Service as the Application Registration plugin. You can use the Kong Manager GUI or cURL commands as documented on the Plugin Hub.
Strategy
external-oauth2
:If you plan to use external OAuth2, review the recommended workflows.
If using the third-party authorization strategy (
external-oauth2
), configure the OIDC plugin on the same Service as the Application Registration plugin. You can use the Kong Manager GUI or cURL commands as documented on the Plugin Hub. When your deployment is hybrid mode, the OIDC plugin must be configured to handle authentication for the Portal Application Registration plugin.Configure the identity provider for your application, configure your application in Kong Gateway, and associate them with each other. See the Okta or the Azure setup examples.
- If using the