Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Custom Authentication Service in Kong API Gateway

Tags:

authentication

kong

api-gateway

We are currently analyzing the API gateway for our microservices and Kong is one of the possible candidate. We discovered that Kong support several plugins for authentication but the all based on users stored in Kong database itself. We need to delegate this responsibility to our custom auth HTTP service and don't want to add these users in API gateway database.

like image 802
Rahul Garg Avatar asked Aug 10 '17 17:08

Rahul Garg

People also ask

Does API gateway handle authentication?

API Gateway supports multiple authentication methods that are suited to different applications and use cases. API Gateway uses the authentication method that you specify in your service configuration to validate incoming requests before passing them to your API backend.

How would you implement JWT in API gateway?

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

Which kind of authorization happens through Apigw?

API gateway authentication is an important way to control the data that is allowed to be transmitted using your APIs. What is an API Gateway? In essence, it authenticates that a particular consumer has permission to access the API, using a predefined set of credentials.

1 Answers

It's possible to do this with some code around, instead of using the OpenID connect plugin; in effect you need to implement an Authorization Server which talks to Kong via the Admin (8001) port and authorizes the use of an API with externally given User Ids.

In short, it goes as follows (here for the Authorization Code grant):

  • Instead of asking Kong directly for tokens, hit the Authorization Server with a request to get a token for a specific API (either hard coded or parameterized, depending on what you need), and include the client ID of the application which needs access in the call (you implement the /authorize end point in fact)
  • The Authorization Server now needs to authenticate with whatever IdP you need, so that you have the authenticated user inside your Authorization Server
  • Now get the provision code for your API via the Kong Admin API, and hit the /oauth2/authorize end point of your Kong Gateway (port 8443), including the provision key; note that you may need to look up the client secret for the application client id also via the Admin API to make this work
  • Include client id, client secret, authenticated user id (from your custom IdP) and optinally scope in the POST to /oauth2/authorize; these values will be added to backend calls to your API using the access token the application can now claim using the authorization code
  • Kong will give you an Authorization Code back, which you pass back to the application via an 302 redirect (you will need to read the OAuth2 spec for this)
  • The application uses its client and secret, with the authorization code, to get the access token (and refresh token) from Kong's port 8443, URL /oauth2/token.

It sounds more involved than it is in the end. I did this for wicked.haufe.io, which is based on Kong and node.js, and adds an open source developer portal to Kong. There's a lot of code in the following two projects which show what can be done to integrate with any IdP:

  • https://github.com/apim-haufe-io/wicked.portal-kong-adapter
  • https://github.com/Haufe-Lexware/wicked.auth-passport
  • https://github.com/Haufe-Lexware/wicked.auth-saml

We're currently investigating to see whether we can also add a default authorization server to wicked, but right now you'd have to roll/fork your own.

Maybe this helps, Martin

like image 160
donmartin Avatar answered Sep 28 '22 18:09

donmartin
Sign in to Comment

Related questions

Test logged in user has correct id in Laravel 4
Different name fields user table?
why is authentication: 'plain' the default setting for actionmailer in rails (with gmail smtp)?
Getting ssl_error_bad_cert_alert on firefox after installing self signed p12 certificate
Understanding how to use NodeJS to create a simple backend
How do I force git to prompt for credentials?
How to move MVC 5 IdentityModels.cs into a separate assembly
JIRA REST API and kerberos authentication
Why the filter does not work when the back button of the browser is pressed in laravel?
Meteor RESTful Authentication. Is it possible?
Symfony: Multiple firewall contexts - User being forwarded to the wrong context
Single Sign On in Moodle with external login form
HttpClient gives Negotiate error with NTLM auth provider
Google API token endpoint POST returns Bad Request 400
Claim based access control in a distributed system
Kafka Authentication Producer Unable to Connect Producer
How do I get claims included in my AuthTicket in a Web API Auth Service?
User authentication with ASP MVC and React
Web API – authenticate with bearer token
Non-interactive authorization with Google OAuth2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!