You are browsing documentation for an older version. See the latest documentation here.
Authorization Provider Strategy for Application Registration
You can use Kong Gateway or an external system of record with the Application Registration plugin.
The portal_app_auth
configuration option must be set in kong.conf
to enable
the Dev Portal Application Registration plugin with your chosen
authorization strategy:
-
kong-oauth2
: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin.Note: The OAuth2 plugin can only be used with traditional deployments. Because the OAuth2 plugin requires a database for every gateway instance, it can’t be used with hybrid mode or DB-less deployments.
-
external-oauth2
: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OpenID Connect (OIDC) plugin. Theexternal-oauth2
option can be used with any deployment type.The third-party authorization strategy (
external-oauth2
) applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.
Using the Kong Gateway auth strategy
If you’re using the default kong-oauth2
authorization strategy with Kong Gateway as the system of record, set up app registration using the following steps:
-
Enable the Application Registration plugin on a service.
-
Configure either the OAuth2 plugin or the Key Auth plugin on the same service as the Application Registration plugin.
The OAuth2 plugin can’t be used in hybrid mode.
Setting external portal authentication
If you are using an external IdP (external-oauth2
), follow these steps.
-
Review and choose one of the recommended workflows.
-
Open
kong.conf.default
and set theportal_app_auth
option to your chosen strategy. The example configuration below switches from the default (kong-oauth2
) to an external IdP (external-oauth2
).portal_app_auth = external-oauth2 # Dev Portal application registration # auth provider and strategy. Must be set to configure # authentication in conjunction with the application_registration plugin. # Currently accepts kong-oauth2 or external-oauth2.
-
Restart your Kong Gateway instance.
kong reload
-
Enable the Application Registration plugin on a service.
-
Configure the OIDC plugin on the same service as the Application Registration plugin.
-
Configure the identity provider for your application, configure your application in Kong Gateway, and associate them with each other. See the Okta or the Azure setup examples.