Kong Enterprise provides many out-of-the-box plugins to support various access control solutions like basic authentication, key authentication, JWT, LDAP, OAuth 2.0, OpenID Connect, among others. Most of the time, you should be able to find a plugin to suit your needs to protect your private or public APIs using Kong Enterprise without the need of writing your own plugins. However, there could be situations where you have non-standard or custom security requirements to your environment and business.
Let's assume a customer has built an in-house authentication and authorization service which has been used extensively by other applications. It's able to issue and validate a JWT token, perform fine-grained access control based on user rights and determine if the authenticated user has proper permissions to access API and data. The service has exposed APIs for integration purposes. Rather than build custom code in each microservice to integrate with the custom security service, let's leverage Kong to centralize the integration and allow each microservice to focus on the business logic.
To integrate Kong with the custom identity provider to secure and govern API access, we can develop a custom Kong plugin. This is a sound approach, which will not only simplify your microservices but also help to transition to an OpenID-compliant provider down the line by abstracting the application clients from the security service using Kong.
The diagram below shows a high-level overview of the solution. The custom authentication service exposes API endpoints to validate the JWT token, check user permissions, etc. The Kong custom plugin will first invoke the authentication service API to validate the JWT token from the request header. If the token is valid, the plugin will do a second check to see if the authenticated user has necessary permissions to access the upstream API and related data.
In this example, the custom authentication service has exposed the following API endpoints for integration:
One of Kong's biggest benefits is the ability to extend the platform. Any custom logic can be added during the lifecycle of a request or response as it is proxied through Kong. For this scenario, let's implement a custom plugin named "custom-auth." If you're new to Kong custom plugins, they are fairly straightforward to implement. A plugin requires minimally two files: schema.lua and handler.lua. You may optionally implement business logic in other Lua files, which can be loaded by handler.lua to make your code more modular and manageable. For the "custom-auth" plugin, let's create the following structure.
Below are further code details and explanations for each.
Schema.lua:
In this case, we have defined three parameters to configure, including token introspection endpoint, permission checking endpoint and header name from where to get the JWT token. All three parameters are mandatory in this case (required = true). We have also added the logic to validate if the endpoints are entered in proper URL format.
handler.lua:
This file contains the actual logic to perform token introspection and permission check by interacting with the custom authentication service. The main function that will be executed first is access(conf). It will check if there is an Authorization token in the HTTP request header. If not, it will return an error; otherwise, it will continue to invoke the next function, introspect_access_token(conf, access_token, customer_id), where the authentication and authorization endpoints of the custom auth service will be executed in sequence to determine if the user has valid access token and correct access permission to view the customer's details.
Let's now try to deploy the custom plugin to Kong Enterprise and test it. First, we will create a folder named "custom-auth" under the directory /usr/local/share/lua/5.1/kong/plugins. You can find other out-of-the-box plugins here, which serve as good reference implementations. Sometimes you may find it convenient to replicate one of the plugins and modify its behavior when necessary. The directory structure looks like the following:
Next, we will configure Kong Enterprise to load this plugin by setting the following property in /etc/kong/kong.conf file and then restart the Kong instance.
If you are running Kong Enterprise in a container environment, you can package the plugin and rebuild the docker image, and then configure the plugins setting via KONG_PLUGINS environment variable.
Now, you should be able to find the custom plugin at the bottom of the plugins page. You can enable this plugin on the service or route that you are trying to protect from unauthorized access.
Below are sample test results to verify this plugin is working properly.
2. Query returns 401 unauthorized error if the token is not valid, which means the authentication check failed.
3. The query returns 401 unauthorized error if the user doesn't have access.
Kong's platform can be easily extended and integrated with custom, external systems by implementing custom plugins. This allows Kong to easily integrate with any existing systems to address current requirements as well as address future custom requirements that may arise. This benefit is one of the main reasons customers choose Kong. In this write up, we covered how Kong Enterprise can be integrated with a third-party access control system, but it's quite straightforward to integrate with any external system or have Kong perform any logic as part of the request/response lifecycle. I hope you have enjoyed reading this blog post. If you have any interesting ideas and use cases, we welcome your feedback.
On December 23, 2024, the security research team at CloudSEK completed a year-long investigation of the cloud-based API testing tool Postman. CloudSEK’s findings revealed that more than 30,000 publicly accessible Postman workspaces had been leakin
In this blog post, we'll talk about the significant challenge of managing and governing a growing number of APIs across multiple teams in an organization — and how Control Plane Groups are a clear solution to avoid the chaos of inconsistent policies
While many organizations mistakenly believe a single tool can solve all their API security woes, the truth is far more complex. This blog post will dismantle the myth of the "silver bullet" and demonstrate how a comprehensive, defense-in-depth strat
Meet Emily. She’s an API product manager at ACME, Inc., an ecommerce company that runs on dozens of APIs. One morning, her team lead asks a simple question: “Who’s our top API consumer, and which of your APIs are causing the most issues right now?”
The healthcare industry is buzzing about FHIR (Fast Healthcare Interoperability Resources). Pronounced “fire,” this widely adopted data standard has been revolutionizing how healthcare information is exchanged. But building a truly modern, secure, a
Behind every smooth user experience is a maze of APIs quietly handling requests, responses, and data flows. This makes APIs critical connectors that enable applications to communicate and share data seamlessly. When these vital conduits fail, the
As enterprises increasingly embed AI and Large Language Models (LLMs) into their digital experiences, enforcing robust AI guardrails becomes paramount to safeguard users, protect data, manage operational costs, and comply with regulatory and ethical