Hey everyone! I'm looking for suggestions on how to set up an API Gateway with KONG while incorporating free on-premises authentication and authorization solutions. The setup will be purely machine-to-machine, so I just need a client ID and secret for authentication. Since everything has to run on-premises, cloud services won't work for us, and I'm aiming for tools that are free and preferably open source.
I was thinking about using Keycloak for authentication, but I've hit some snags with managing authorization based on roles or scopes. Unfortunately, KONG's OSS version doesn't offer a plugin for Keycloak or OIDC, and I even attempted to create a LUA plugin myself, but that didn't go well since I'm not proficient in LUA.
I also tried combining KONG with KEYCLOAK and OATHKEEPER, but ran into issues with OathKEEPER not validating scopes properly when using JWT authentication.
What options do you all recommend? Are there any tools or solutions that could work with the ones I mentioned? I really want to stick with KONG, but I'm beginning to reconsider if I keep facing these challenges, and that could be a hard sell to my development team!
1 Answer
To be honest, Kong OSS is becoming less relevant. You might want to explore KrakenD along with Keycloak. It's worth checking out since it can handle API gateway needs effectively.
Wow, I didn't realize Kong was losing traction. I'll definitely check out KrakenD now!