Kong – HIGH-LEVEL AUTH FLOW

techhadoop , , , ,

Here’s a clear breakdown of how authentication works in a Kong + Ping Identity + IAM setup, which is common in enterprise environments where Kong acts as an API gateway and Ping Identity (like PingFederate/PingOne) handles user authentication and token issuance.

HIGH-LEVEL AUTH FLOW

Scenario:

Client → Kong Gateway → Protected Service
Kong integrates with Ping Identity for OIDC authentication or JWT validation, often backed by a central IAM system.

COMPONENT ROLES

ComponentRole
Kong GatewayAPI gateway that enforces authentication & authorization plugins
Ping IdentityIdentity Provider (IdP) – handles login, token issuance, and federation
IAM (e.g., Ping IAM, LDAP, AD)Stores users, groups, permissions, policies

AUTHENTICATION FLOW (OIDC Plugin)

OpenID Connect (Authorization Code Flow):

  1. Client → Kong
    Tries to access a protected API.
  2. Kong (OIDC Plugin)
    Redirects client to Ping Identity (Authorization Endpoint).
  3. Ping Identity (PingFederate or PingOne)
    • Authenticates user (UI, MFA, etc.).
    • Issues authorization_code.
  4. Kong → Ping Identity (Token Endpoint)
    Exchanges code for access_token (and optionally id_token, refresh_token).
  5. Kong (OIDC Plugin)
    • Validates token.
    • Optionally maps user to Kong consumer.
    • Passes request to backend with enriched headers (e.g., X-Consumer-Username).
  6. Backend Service
    Receives authenticated request with headers.

JWT Token Validation (Alt. Flow)

If Ping Identity issues JWT tokens, you can use Kong’s JWT plugin to validate them without redirect:

  1. Client gets access_token from Ping (out of band or SPA).
  2. Client sends request with Authorization: Bearer <token>.
  3. Kong JWT plugin verifies:
    • Signature using Ping’s public key / JWKS.
    • Claims like iss, aud, exp, etc.
  4. If valid, forward to upstream.

Where IAM Comes In

IAM sits behind Ping Identity and handles:

  • User/group storage (via LDAP, AD, DB, etc.)
  • Role mapping (e.g., admin/user)
  • Authorization policies (PingAccess, policy processor)
  • MFA/SSO rules

Ping Identity federates those identities into SSO tokens and passes them to Kong.

Plugin Example: OIDC Config

curl -X POST http://<admin>:8001/services/my-service/plugins \
  --data "name=openid-connect" \
  --data "config.issuer=https://ping-idp.com" \
  --data "config.client_id=my-client" \
  --data "config.client_secret=abc123" \
  --data "config.redirect_uri=https://my-kong.com/callback" \
  --data "config.scopes=openid profile email"

Kong Headers Passed to Backend

After successful auth, Kong can pass:

  • X-Consumer-Username
  • X-Authenticated-Userid
  • Authorization: Bearer <token> (if configured)

Optional Enhancements

  • Use ACL plugin to enforce group-level access.
  • Use OIDC group claim mapping to Kong consumer groups.
  • Enable rate limiting per consumer.
  • Log authenticated user ID to Splunk or ELK.

Leave a comment