Enabling OAuth 2.0 On Kong With SSL Termination on Load Balancer
Kong is a widely used open source, scalable, customizable API Gateway/Middleware and is one of the most popular tools in the market because of its rich functionality and a wide range of open source supported plugins. Those who are new to Kong can go through the Kong’s documentation.
Use Case: This blog is all about enabling OAuth 2.0 in Kong when you are terminating the SSL on the load balancer. I am using AWS Elastic Load Balancer for the demonstration.
Note: I am using this dashboard for accessing kong admin.
As we all DevOps developers know, enabling OAuth 2.0 is a security measure for the applications and requires TLS for the communication. According to Kong’s documentation, OAuth 2.0 plugin requires the APIs (which needs to be secured with OAuth 2.0) to have a trusted and valid SSL certificate.
There might be cases where you don’t want to configure SSL on Kong node. For eg. in my case, I am using free trusted SSL certificate provided by Amazon Certificate Manager which you can only use on ELB and Cloudfront.
X-Forwarded-Proto Support in Kong: When you terminate the SSL on ELB, it adds an additional header named X-Forwarded-Proto to the request which is set to HTTPS and Kong uses this header to detect whether the original request was a valid https request or not. So with this support in Kong, you can enable OAuth 2.0 in Kong without adding your SSL certificate files to the Kong.
Required Listeners for the ELB Configuration:
For this setup, the elastic load balancer should listen to incoming traffic on the port 443 SSL/HTTPS which must be passed to 8443 SSL/HTTPS (reserved SSL port) of Kong.
Steps for adding OAuth 2.0 Plugin in Kong while terminating SSL on the ELB.
1) Adding an API
In this demonstration, I am enabling OAuth on petstore API which is freely available on the internet. I am using the above mentioned Kong plugin to perform all the admin operations. You can add a test API as shown in the picture below.
2) Accessing the added API without OAuth 2.0.
3) Adding a consumer to enable OAuth credentials.
4) Adding OAuth 2.0 plugin to the API.
5) Accessing API without generating token.
6) Generating access token with the help of valid consumer credentials.
7) Accessing the API using valid access token after passing it in request headers.
By following the above steps, you can use OAuth 2.0 on Kong with SSL termination on ELB. In my next blog, I’ll be writing more about Kong plugins.