This document outlines a technical solution of how to implement a developer portal with Kong Admin API to support the multi-tenanted system. This solution is suitable for a customer who needs to have efficient API management for multiple partners in a single Kong deployment and workspace.
Architectural Overview:
Our solution leverages Kong’s powerful features to design a reliable and secure system. The architecture comprises three main components:
1.Kong Gateway: Acts as the API gateway, controlling traffic flow, authentication, and rate limiting.
2.Kong Admin API: Provides an interface for interacting with Kong’s configuration and allowing for the creation, modification, and deletion of services, routes, consumers, and plugins.
3.Custom Developer Portal: A customized web application for partner developers to manage themselves and for customer administrators to manage the partners.
Hierarchical Role Management:
We will implement a three-tiered role-based access control system:
1.Kong Admin: Has full access to the system, including the creation and administration of customer admins.
2.Customer Admin: Controls partner developers and their API usage within their organization including creating, editing and deleting partner developer accounts and manage API subscriptions.
3.Partner Developer: Uses the APIs provided by the customer. They can see what APIs are available, signs up for them, and deal with API keys.
Authentication and Authorization:
Kong Admin API: Protected by Basic Authentication, with credentials used by the custom developer portal for all interactions.
Custom Developer Portal:
Login: Once a user logs in successfully, the portal saves session information (for example, in the form of a JWT token) and uses it for further communication with the Kong Admin API.
Customer Admin & Partner Developer Differentiation: After authentication, the portal determines the user’s role and displays the interface and features based on the role.
API Loopback Configuration:
To enable the developer portal to manage Kong's configuration, we will utilize an API loopback mechanism:
1. Proxy the Kong Admin API: Expose the Kong Admin API through a separate proxy URL to enhance security by concealing the real Admin API endpoint.
2. Define Services and Routes: Configures services and routes in Kong to handle the requests coming to the proxy URL.
3. Apply Plugins:
CORS: Enable CORS on these routes to allow the developer portal (which is a different origin) to access Kong Admin API.
Request Transformer: Modify requests to meet the data integrity and confidentiality requirements. This could include adding headers, changing paths or even modifying the body of the request.
Implementation Details:
1. User Onboarding and Role Assignment:
- Kong Admin:Sets up Customer Admin accounts in the Kong Manager and provides the initial login credentials.
- Customer Admin: Self-enrolls to the developer portal using the credentials shared by the Kong Admin and manags Partner Developer accounts through the portal.
- Partner Developer: Self-enrolls on the developer portal, authorized by the Customer Admin.
2. Custom Developer Portal Development:
Use an appropriate frontend framework (for example, React, Angular, Vue. js) to Customise the in-built the developer portal.
Key functionalities include:
- User Authentication: Secure login, logout, and session management.
- Role-Based Views: Different views and actions depending on the role of the user (Kong Admin, Customer Admin, Partner Developer).
3. API Management:
- Customer Admin: To view, modify, and control the API access for their Partner Developers.
- Partner Developer: View and search through lists of available APIs, subscribe to APIs, access documentation, and manage API keys.
- Kong Admin API Integration: The integration majorly helps with portal developers’ management from custom portal itself instead of exposing the admin application externally.
API Loopback Configuration:
1. Configure Proxy: Configure a reverse proxy (for example, Nginx) to redirect requests to the Kong Admin API through a specific endpoint.
2. Create Kong Service: Create a Kong service that corresponds to the Admin API to be proxied.
3. Create Kong Route: Make a route that will direct any request made to the proxy URL to the Kong Admin API service.
4. Apply Plugins:
> Include the CORS plugin to the route and set the allowed origin, headers, and methods.
> Develop a Request Transformer plugin to adjust requests for security and standardization purposes.
Advantages of this Solution:
1.Centralized Management: Single Kong deployment and workspace ease management and offer a holistic view of all partners and APIs.
2.Enhanced Security: Hierarchical roles, Basic Authentication for the Admin API, and proxying the Admin API also improve the security.
3.Improved Developer Experience: The custom developer portal provides a simple way for developers to discover, consume, and manage APIs.
4.Scalability and Flexibility: It is easy to extend the solution to support more partners and APIs as the system grows.
This approach offers a clear and secure plan for integrating a developer portal with Kong Admin API.
By following security best practices and utilizing Kong’s capabilities, this solution provides a scalable and user-friendly platform for API and partner management.
Citations:
[1] https://docs.konghq.com/gateway/latest/admin-api/
[2] https://curity.io/resources/learn/kong-dev-portal/
[3] https://cloudentity.com/developers/howtos/enforcement/kong/
[4] https://www.youtube.com/watch?v=nuvdTb9XlkU
For more information: https://zelarsoft.com/
Email: info@zelarsoft.com
Phone: 040-42021524 ; 510-262-2801
Top comments (0)