Kong Gateway is the world’s most adopted open source API gateway. In the realm of security, Kong Gateway offers a comprehensive suite of features such as authorization, authentication, and request validation. Kong’s flexibility extends to custom security plugins, enabling organizations to inject logic at several entry-points in the life-cycle of a request/response proxied through Kong. Kong is based on Nginx and the Lua-nginx-module (specifically OpenResty), allowing Kong to easily load and execute custom modules.
In addition to Lua modules, Kong offers Plugin Development Kits (PDKs) for a variety of languages including Go. Corsha has engineered a Kong custom plugin to seamlessly integrate with Corsha’s Identity Provider (IdP) for Machines using the Go PDK. With this plugin, Kong Administrators can specify any or all API services to require Corsha MFA credentials. Corsha chose to use the Go PDK for ease of integration with Go library code that already existed in our Corsha repositories.
This integration offers some key benefits:
-
Automated and Continuous Protection: By seamlessly incorporating Corsha's MFA credentials into Kong Gateway, organizations fortify their APIs against a variety of threats, including adversary-in-the-middle attack, API credential stuffing, and machine spoofing. This automated defense mechanism ensures round-the-clock security vigilance.
-
Simplified Integration: The plugin streamlines integration within existing Kong environments, alleviating the burden on DevSecOps teams. Its intuitive setup and configuration process allow for swift deployment, enabling organizations to enhance their API security without introducing unnecessary complexity or interrupting daily operations.
-
Added Observability: The Kong API Manager enhances observability and insight regarding API traffic. Through its advanced monitoring capabilities, Kong provides real-time visibility into API interactions, enabling organizations to track traffic patterns, detect anomalies, and troubleshoot issues proactively.
Using the Corsha plugin is as simple as mounting the binary into your Kong container and adding a few environment variables in Docker/Helm, assuming the Corsha platform is already deployed.
In the diagram provided, a client sends an HTTPS request to the Kong Gateway, alongside a Corsha Authenticator responsible for including the Corsha credential in the header. Within the Kong container, the Corsha custom plugin is set up to communicate with the Corsha Distributed Ledger Network (DLN), verifying the credential before allowing Kong to forward the request to the upstream services.
The addition of the Corsha custom plugin enforces one-time-use machine authentication that can be configured and managed in our Corsha console. Kong provides centralized API traffic and Corsha ensures that your API traffic is secure.
Tips and Tricks:
- Kong can be deployed with a Manager. When enabled, services, routes, and plugins can all be configured via the Manager UI. The Manager can be a huge help in debugging and observability.
- Kong offers a marketplace full of Kong and third-party plugins. Before creating your own plugin, be sure to check the hub for an existing plugin. https://docs.konghq.com/hub/
- Kong is highly configurable and can be deployed in many modes. For example, dbless, which stores the Kong config in a yaml, vs traditional, which makes use of a Postgres or Cassandra DB. Be sure to configure your Kong deployment to best fit your use case.
To find out more, visit Corsha docs: https://docs.corsha.com/integrations/kong-gateway/
About Kalynn Rhew
Kalynn Rhew is a software engineer at Corsha, where she plays a pivotal role in customer projects and research and development for integration environments. She also significantly contributes to the enhancement of automated testing processes.
About Corsha
Corsha is an Identity Provider for Machines that allows an enterprise to securely connect, move data, and automate with confidence from anywhere to anywhere. Corsha builds dynamic identities for trusted machines and brings innovation like automated, one-time-use MFA credentials to APIs.
Corsha’s mission is to secure data in motion and bring zero trust to machines, systems, and services. Today DevSecOps and security teams often are forced to compromise by using static, long-lived API keys, tokens, and certificates as weak proxies for machine identity and access. Corsha helps teams move past static secrets and generates dynamic identities for trusted machines, bringing innovation like automated, one-time-use MFA credentials, scheduled access, and deep discovery to APIs. The Identity Provider also offers visibility and control over automated API traffic and enables real-time revocation and rotation of identity without disrupting other workloads.
Whether it is across hybrid cloud infrastructure, data centers, or even manufacturing shop floors, Corsha reimagines machine identity to keep pace with the scale of data and automation needed today. We ensure automated communication from anywhere to anywhere is pinned to only trusted microservices, workloads, server, controllers, and more. The use of API keys, token, and certificates for authentication is a weak proxy for machine identity today, proving to be costly, risky, and incomplete. Corsha’s Identity Platform helps an organization move past these outdated secrets management approaches and unlock secure connectivity and data movement at scale.
