Authorization Provider Strategy for Application Registration

    In the Kong Gateway 2.1.x version, authentication was decoupled from the Application Registration plugin. Support has been added for third-party OAuth2 providers. Developers have the flexibility to choose from either Kong or a third-party identity provider (IdP) as the system of record for application credentials. With third-party (external) OAuth2 support, developers can centralize application credential management with the of their choice.

    In the Kong Gateway 2.2.1.x version and later, support has been added for the Key Authentication plugin to use with Kong as the system of record.

    OAuth2 plugins for use with the Application Registration plugin:

    • When Kong Gateway is the system of record, the Application Registration plugin works in conjunction with the OAuth2 or the Key Authentication plugin.

      Important: The OAuth2 plugin does not support hybrid mode. Since the Key Authentication plugin is using the `kong-oauth2` strategy and client ID credential, hybrid mode is also not supported for the Key Authentication plugin. If your organization uses hybrid mode, you must use an external identity provider and configure the OpenID Connect plugin.

    The third-party authorization strategy () applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.

    The portal_app_auth configuration option must be set in kong.conf to enable the Dev Portal Application Registration plugin with your chosen authorization strategy. The default setting (kong-oauth2) accommodates the OAuth2 or Key Authentication plugins.

    Available options:

    • kong-oauth2: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin. The kong-oauth2 option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every gateway instance, the option cannot be used with hybrid mode deployments.
    • external-oauth2: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OIDC plugin. The external-oauth2 option can be used with any deployment type. The external-oauth2 option must be used with hybrid mode deployments because hybrid mode does not support kong-oauth2.

    If you are using an external IdP, follow these steps.

    1. Open kong.conf.default and set the option to your chosen strategy. The example configuration below switches from the default (kong-oauth2) to an external IdP (external-oauth2).

    1. Enable the on a Service.