Dynamic Authorization and API Discovery for Kong

Discover the use of dynamic authorization and API discovery for Kong

In a nutshell

Kong or Kong API Gateway is a cloud-native, platform-agnostic, scalable API Gateway distinguished for its high performance and extensibility via plugins.

By providing functionality for proxying, routing, load balancing, health checking, authentication (and more), Kong serves as the central layer for orchestrating microservices or conventional API traffic with ease. By centralizing common API functionality across all your organization’s services, the Kong API Gateway creates more freedom for engineering teams to focus on the challenges that matter most.

The top Kong features include:

  • Advanced routing, load balancing, health checking
  • Configurable via an admin API or declarative configuration.
  • Authentication and Authorization for APIs using methods like JWT, basic auth, ACLs and more.
  • Proxy, SSL/TLS termination, and connectivity support for L4 or L7 traffic.
  • Plugins for enforcing traffic controls, request/response transformations, logging, monitoring, etc.
  • Sophisticated deployment models like Declarative Databaseless Deployment and Hybrid Deployment
  • Native ingress controller support for serving Kubernetes.

Key benefits

Below, you can find a list of key benefits that come with integrating ACP and Kong:

  • Dynamic externalized authorization for the service mesh,
  • Microservice level API discovery,
  • Unified authorization for microservices in the mesh and beyond,
  • Authorization server integration.

Kong and externalized authorization

Kong’s plugin architecture, and support for open authentication standards like OAuth 2.0 and OpenID Connect, provides the basis for dynamic, contextual authorization of the APIs that are accessed via the Kong Gateway.

Cloudentity is focused on authorization for APIs. It provides a specialized Kong plugin that allows (ACP) to act as an externalized authorization engine for distributed applications.

Authorization and microservices API

An effective authorization policy that controls resource access is usually distributed between an authorization server and a resource server. In a distributed application system, resource servers are composed of microservices that expose certain APIs for external consumption. ACP provides comprehensive and easy to govern authorization for APIs. Policies at the authorization server level are managed centrally.

ACP needs to know about all APIs to assign authorization policies to each one of them, and to provide visibility and governance. ACP’s Kong integration enables it to discover APIs by querying the Kong Gateway’s Admin API. ACP regularly refreshes its API schema, in order to stay in sync with Kong’s dynamic configuration. By doing that, ACP provides a tool for DevSecOps engineers that lets them effectively manage and govern authorization that spans across hybrid and multi-cloud systems.

ACP provides authorization for APIs, maintaining a unified developer experience in heterogeneous systems. Kong is just one of the API gateways that ACP integrates with out of the box.

Bringing dynamic authorization to Kong

ACP-Kong integration brings advanced authorization capabilities offered by ACP to the distributed applications that are protected by the Kong API Gateway.

The most notable capabilities are the following:

  • Distributed authorization with centralized management,
  • ABAC, RBAC, Fine-grained authorization,
  • Authorization policy governance,
  • API authorization unification across diversified environments,
  • WYSIWYG policy editor with ready to use building blocks, policy versioning, REGO based policies,
  • Policy decisioning context (for example, user, security feed, request, threat analytics),
  • Policy callouts to external APIs.

ACP policies

Unified authorization for microservices in the mesh and beyond

ACP is comprehensively focused on APIs authorization irrespective of what type of service exposes them and how it is deployed. Integration with Kong does not impact availability of other integration patterns with microservices and services that are not protected by Kong.

APIs of services that are not accessed via the Kong API Gateway, can be protected by other enforcement points. Services may also make calls to the ACP’s policy decision point APIs directly themselves. It can be managed using a single ACP workspace or distributed among multiple workspaces and tenants if needed.

Authorization server and Kong

ACP provides comprehensive authorization for APIs. Each workspace contains an authorization server instance. Each workspace has a collection of authorization polices and APIs exposed through the gateways that the workspace is connected to. Authorization policies can be assigned and enforced at the authorization server level and/or endpoint level. The solution implementer decides whether Cloudentity is used for the first, the latter, or both.

When ACP is integrated with Kong, it primarily does externalized policy decisioning at the endpoint level, but it also covers authorization and authentication use cases related to the consumption of externally exposed APIs.

To do that, ACP is integrated as an authorization server/OpenID Connect Provider that mints tokens utilized by Kong’s OpenID Connect Plugin. An authorization server instance is associated with each ACP workspace, and comes with rich authorization capabilities and attribute mapping capabilities. It gives freedom in shaping subject attributes delivered to externally facing APIs.

Application of both integration patterns in conjunction is recommended to get the most value out of ACP in terms of access control and authorization governance. It is because, in such a setup, ACP allows to manage effective API authorization centrally and enforce it in a distributed fashion. Such API authorization includes also “pre-authorization” happening at the authorization server level that may encompass user consent, transaction authorization, ABAC, RBAC, and others.

GitOps

ACP, when integrated with Kong, brings GitOps approach microservice mesh authorization making it an ideal tool for DevSecOpses. Authorization policies are stored in Git repositories, and when a policy is changed, ACP pulls the changes from the Git repository. This practice makes policies easy to version and use in DevSecOps pipelines. At the same time, policies are easy to audit and design using a visual editor.