6

We are currently analyzing the API gateway for our microservices and Kong is one of the possible candidate. We discovered that Kong support several plugins for authentication but the all based on users stored in Kong database itself. We need to delegate this responsibility to our custom auth HTTP service and don't want to add these users in API gateway database.

Rahul Garg
  • 4,069
  • 1
  • 34
  • 31

2 Answers2

6

It's possible to do this with some code around, instead of using the OpenID connect plugin; in effect you need to implement an Authorization Server which talks to Kong via the Admin (8001) port and authorizes the use of an API with externally given User Ids.

In short, it goes as follows (here for the Authorization Code grant):

  • Instead of asking Kong directly for tokens, hit the Authorization Server with a request to get a token for a specific API (either hard coded or parameterized, depending on what you need), and include the client ID of the application which needs access in the call (you implement the /authorize end point in fact)
  • The Authorization Server now needs to authenticate with whatever IdP you need, so that you have the authenticated user inside your Authorization Server
  • Now get the provision code for your API via the Kong Admin API, and hit the /oauth2/authorize end point of your Kong Gateway (port 8443), including the provision key; note that you may need to look up the client secret for the application client id also via the Admin API to make this work
  • Include client id, client secret, authenticated user id (from your custom IdP) and optinally scope in the POST to /oauth2/authorize; these values will be added to backend calls to your API using the access token the application can now claim using the authorization code
  • Kong will give you an Authorization Code back, which you pass back to the application via an 302 redirect (you will need to read the OAuth2 spec for this)
  • The application uses its client and secret, with the authorization code, to get the access token (and refresh token) from Kong's port 8443, URL /oauth2/token.

It sounds more involved than it is in the end. I did this for wicked.haufe.io, which is based on Kong and node.js, and adds an open source developer portal to Kong. There's a lot of code in the following two projects which show what can be done to integrate with any IdP:

We're currently investigating to see whether we can also add a default authorization server to wicked, but right now you'd have to roll/fork your own.

Maybe this helps, Martin

donmartin
  • 1,753
  • 2
  • 15
  • 30
  • Thanks for the answer. I will certainly take a deeper look on suggestions. – Rahul Garg Sep 17 '17 at 11:14
  • 1
    What if I already have a microservice that deals with authentication(user + password), authorization(does user have access to a specific resource), and registration(adding users to the users db tied to this microservice). Is there a way to integrate the user service with kong? It just seems like this level of user interaction would be more application-specific. – user1790300 Oct 16 '17 at 17:35
  • This sounds like it's something you can and perhaps should solve with OAuth2, which is a step back, abstracting the authorization into scopes usually. How that is done in detail for *your* services is difficult to tell from just what you stated here. Your API ideally would just get the Authorization and Authentication delivered from Kong, from information which was gathered beforehand. That's often possible, but not always. – donmartin Oct 17 '17 at 06:26
  • Just so I am clear, I would have to make my user microservice into more of an OAuth2 server and have kong work with it from there? Also, I assume that I could not just create a custom plugin that would just interact directly with my user microservice or would that be too messy? I can definitely see where the OAuth2 scenario would be cleaner. – user1790300 Oct 18 '17 at 16:50
  • Instead of doing this in the comments, I added an answer to your linked question: https://stackoverflow.com/questions/46760736/user-registration-authentication-for-microservices-integrated-with-kong?noredirect=1&lq=1 – donmartin Oct 18 '17 at 20:27
0

Check out Kong's OpenID Connect plugin getkong.org/plugins/openid-connect-rp - it connects to external identity and auth systems.

Cooper
  • 826
  • 9
  • 10