Authorization Provider Strategy for Application Registration

• When Kong Gateway is the system of record, the Application Registration plugin works in conjunction with the OAuth2 or the Key Authentication plugin.

  Important: The OAuth2 plugin does not support hybrid mode. If your organization uses hybrid mode, you must use an external identity provider and configure the OpenID Connect plugin.

The third-party authorization strategy () applies to all applications across all Workspaces (Dev Portals) in a Kong Gateway cluster.

Available options:

• kong-oauth2: Default. Kong Gateway is the system of record. The Application Registration plugin is used in conjunction with the OAuth2 or Key Authentication plugin. The kong-oauth2 option can only be used with classic (traditional) deployments. Because the OAuth2 plugin requires a database for every gateway instance, the option cannot be used with hybrid mode deployments.
• external-oauth2: An external IdP is the system of record. The Portal Application Registration plugin is used in conjunction with the OIDC plugin. The external-oauth2 option can be used with any deployment type. The external-oauth2 option must be used with deployments because hybrid mode does not support kong-oauth2.

If you are using an external IdP, follow these steps.

1. Open kong.conf.default and set the option to your chosen strategy. The example configuration below switches from the default (kong-oauth2) to an external IdP (external-oauth2).

2. your Kong Gateway instance.