A dockerized demo environment with an API that is proxied by Kong Gateway. Kong acts as an enforcement point and will enforce coarse-grained authorization through the Kong Phantom Token Plugin and fine grained authorization using the Kong OPA Plugin.
The environment is documented and described in the API Authorization using Open Policy Agent article on the Curity website.
- Pull down the git repo
git clone https://github.com/curityio/curity-kong-opa-demo
- Build the environment
docker compose build
- Start the environment
docker compose up
- When the environment has started, go to https://localhost:6749/admin and log in with user admin and password that's defined in
docker-compose.yml
. Go through basic wizard and make sure to enable SSL (Use Existing SSL Key
and selectdefault-admin-ssl-key
works or choose your own). Upload a valid license and the upload the example policy,curity/curity-opa-kong-config.xml
. This policy can be merged but requires the wizard to be completed and committed first. - With the system configured a client can be used to obtain a token using the
www
client. Make sure to request theopenid
andrecords
scope. There are no users pre-populated in the environment. As part of the authentication process, create a user. The default OPA policy checks thatuser==owner
so authorization will fail if there is a mismatch. The owners (patient) of the records are detailed inapi/server/records.json
. Either create a user that matches or make changes torecords.json
. - Use the Access Token and perform a GET request to the API exposed by Kong.
Please visit curity.io for more information about the Curity Identity Server.