search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
39.06k stars 4.79k forks source link

Oauth 2.0 #1084

Closed Forest1602 closed 8 years ago

Forest1602 commented 8 years ago

I have external Authorization Server which register clients and generate tokens. How to merge Authorization Server with kong? Bcoz I need to save client and generate tokens on external Authorization Server but manage access to my APIs at Kong.

Common use case is where I have an existing OAuth system in place, and I would like to use the tokens generated by that system with Kong. Something like this

subnetmarco commented 8 years ago

@Forest1602 this is currently not possible. Either you use OAuth 2.0 fully on Kong (and migrate your existing users/applicationstokens to Kong as well), or you just don't add any authentication on Kong, and let your system block the unauthorized requests (but in this scenario Kong will never know who the consumer is).

3dbrows commented 8 years ago

+1 on feature request for this (ability to delegate OAuth2 token storage to an external data store). Would massively help integrate Kong with existing systems.

subnetmarco commented 8 years ago

@dag24 may I ask why migrating the exiting users/application/tokens to Kong using Kong's API is not an option? Is it just the extra work, or there are other specific reasons?

3dbrows commented 8 years ago

I am in a situation where I am integrating Kong in a large existing codebase, in a company with several hundred engineers. Our existing OAuth2 store has thousands of user credentials, which could technically be imported into Kong, but three issues come to mind. One, the mere practicality of gaining access to the authentication store to extract secret tokens (not always trivial in enterprise scenarios; my team does not own this store). Two, syncing Kong and the existing "master" data store: perhaps a cron job could overcome this. Third, legalities: our existing setup has been given the seal of approval by our legal and security teams, and I am concerned about data protection issues (British, EU law) with regards to making copies of what could be regarded as personally identifying information of users. For these reasons, the ability to tell Kong "go here for your OAuth2 negotiation" sounds useful to me.

On 26 Mar 2016, at 02:33, Marco Palladino notifications@github.com wrote:

@dag24 may I ask why migrating the exiting users/application/tokens to Kong using Kong's API is not an option? Is it just the extra work, or there are other specific reasons?

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub

konobi commented 8 years ago

This could be done on postgresql as an FDW.

thibaultcha commented 8 years ago

Considering this question answered so far.

sonicaghi commented 8 years ago

related with: https://github.com/Mashape/kong/issues/1441