Custom authorization in Kong

[reetik-raj]

We wanted to move our company's custom authorisation to Kong. Currently we have an internal table which maps URLs to scopes and using the request URL and consumer details we are able to authorise the request. We want to move all this to Kong.

We need to maintain a table on Kong level which has the different scopes associated with the different URLs. Calling another service to get the scope is also one solution for this. Any suggestions or recommended methods for this?

[kikito]

Good morning, you should be able to accomplish what you need by creating a Custom Plugin.

The Custom Plugin Development Guide is here:

https://docs.konghq.com/gateway-oss/2.4.x/plugin-development/

Plugins can have migrations (on db mode) and custom entities (both on db and db-less modes) which could be used to map your scopes and how they map to each consumer.

Since you are doing an auth plugin, it will probably be a good idea to give a look at the Basic Auth Plugin source code, or even use it as a base for your own plugin.

[reetik-raj]

Hey, @kikito, thanks for your reply. I went through the plugin development guide and read all about custom plugins and how they work. I have a few more doubts -
I need to map scopes required with URLs. So I will need to regex match the request URLs in my custom plugin and then compare that regex with the mapping values stored in the plugin custom entity. Then I will call my authorization service with scope, consumer details to authorize.
Is it a good practice to do this in Kong, or should we develop a service ourselves which we call from Kong passing the URL and the service, in turn, does the whole regex matching, scope determination as well as authorization returning with just one detail - whether the request is authorized or not. What do you recommend?
Also, if we do this in Kong, I am not very clear on how to populate the custom entity table with all the mapping data of URLs and scopes.
I look forward to your answer.

[kikito]

It is difficult for me to understand what you are trying to accomplish, exactly, because "Scope" can mean a lot of different things; since this is an authorization-related discussion, I assume they mean some sort of "permission group", like "Payroll" or "Sales".

I need to map scopes required with URLs

It sounds like you are trying to do something like this:

services:
- name: my-service
  routes:
  - paths: ["/foo"]
  - paths: ["/bar"]
  - paths: ["/baz"]
  plugins:
  - name: my-custom-auth-plugin 

So you have one instance of your plugin associated to one Service, and then inside your custom plugin you are trying to do something like this, only with more regexes involved:

local path = kong.request.get_path()
if path == "/foo" then
  scope = "sales"
elseif path == "/bar" then
  scope = "payroll"
...

Kong already has a way to "map" request urls to regexes on its router (the paths attribute admits regexes). So instead of a single plugin associated with the Service, have several plugins, one per Route, and put the as a config variable. Then let the Router pass the appropriate scope to the plugin when it matches a route:

services:
- name: my-service
  routes:
  - paths: ["/foo"]
    plugins:
    - name: my-custom-auth-plugin
      config:
        scope: "sales"
  - paths: ["/bar"]
    plugins:
    - name: my-custom-auth-plugin
      config:
        scope: "payroll"
  - paths: ["/baz"]
    plugins:
    - name: my-custom-auth-plugin
     config:
        scope: "admins"

And then inside your plugin you will only need to do:

config.scope

To get the scope.

It's possible that I have misunderstood your needs, please provide more context if that's the case.

[reetik-raj]

Hey @kikito, you understood our problem quite well and thanks for your idea. I implemented this, and this worked out well. But I have a concern with this method -
We have almost 2000 different API endpoints with different scopes required in each of them. Also, this number might increase a lot in the future. With your method, I will have to define specific regex routes (paths) for all of them and enable instances of my custom plugin on each of those routes. Can this cause any problem (DB overload or any other such problem which I can't think of). Also, if yes, then is there any way of achieving all this in a single instance of the custom plugin?

[reetik-raj]

Hey @kikito, any updates on this? Looking forward to hearing back from you.
Thanks for your replies.

[kikito]

Apologies, I didn't notice this earlier since it was marked as "replied".

It is not that unusual for kong to have thousands of API endpoints - it is being used by some very large companies. The Router (thee part of Kong which maps Routes to Services) is written with performance in mind. The amount of memory these routes take won't be zero, but should be completely acceptable on a regular webserver.

Speed-wise, plain strings will always perform better than regexes, so I would try to use them when possible on routes. Remember that you can specify multiple paths on a single Route in order to save some memory. You can activate and watch the X-Kong-Proxy-Latency header to give you some rough idea about how kong is performing. Also remember that Kong can grow horizontally: if you add more CPUs to your host, you can add more workers to your kong node, or start more kong nodes.

Achieving all this with a single custom plugin is completely doable. You would just have to follow the first code I mentioned. The scope selection would be done via "ifs" on the access phase of the custom plugin. You might save some memory this way, but this would have its own issues. For example, it would mean that every time you need to add a new route you might need to also update the custom plugin (to tweak the ifs of the "sales" scope for example, or to add a new scope). That will require (at minimum) a kong restart so Kong can read this new plugin source code. And quite possibly a full redeploy, depending on your setup.