►
From YouTube: Secure & Govern APIs & Services | Kong Summit 2020 Demo
Description
As the number of services and API teams are growing, control by a central IT team is declining. Rather than enforcing governance it is better to empower the application teams to do the right thing and build in security, governance and compliance into their applications. See how you can do this with Kong by encoding governance into on-boarding, and by providing the dev teams with the ability to inject compliance through fine-grained security policies. Here, we'll demo mTLS & OIDC plugins, RBAC, and Worspaces as ways to efficiently solve security and governance challenges using Kong Enterprise.
A
A
A
Now,
when
I
send
this
request,
you're
going
to
see
that
I
get
a
message
saying
no
required,
tls
certificate
was
sent.
This
is
because,
in
my
rest,
client
configuration
I
actually
have
not
sent
my
certificate
and
key.
Let
me
go
ahead
and
check
this
box,
so
the
certificate
is
sent,
and
now,
when
I
send
this
request,
kong
is
going
to
validate
the
certificate
and
see
that
you'll
see
that
I
get
a
200
and
kong
actually
puts
my
attributes
in
as
claims
here.
A
A
If
I
go
to
the
kong
administration
console
I'm
going
to
go
to
the
mtls
auth
route
and
I'm
going
to
go
ahead
and
view
that
route
and
view
the
mtls
authentication,
plugin
and
edit
the
plugin
now
in
the
plugin
you'll,
see
that
we
have
a
ca
certificate.
That's
been
loaded
in
the
con.
This
is
how
kong
knows
to
trust
the
ca
that
has
signed
the
client
certificate.
A
We've
loaded
it
into
this
plugin
khan
can
also
map
the
client
certificate's
attributes
to
a
con
consumer,
and
if
we
want
to
identify
and
apply
specific
policy
to
that
consumer,
we
can
do
that.
For
example,
rate
limiting
the
mtls
plugin
also
has
a
number
of
features
to
cash
certificate.
Validations
control.
How
often
revocation
checking
is
done
and
allow
you
to
move
this
functionality
to
kong
instead
of
maintaining
it
in
your
service.
A
So
what
do
we
just
show
you?
We
just
showed
you
how
mtls
allows
both
the
rest,
client
and
the
restful
service
to
mutually
authenticate
each
other's
identity?
This
means
you
don't
have
to
build
mtls
auth
into
your
service
code,
and
you
can
reuse
this
functionality
following
a
common
standard
in
your
enterprise
to
speed
up
deployment,
mtls
can
also
be
configured
using
the
admin
api,
the
declarative
configuration
and
a
kubernetes
manifest,
allowing
you
to
quickly
configure
kong
in
your
ci
cd
pipeline
for
the
next
use
case.
A
I
want
to
take
a
look
at
another,
very
common
method
to
secure
apis.
This
method
uses
oauth,
2.0
tokens
and
the
open
id
connect
framework.
Openid
connect
also
allows
you
to
secure
access
to
your
apis
using
a
modern
framework,
and
you
can
offload
identity,
validation
to
a
central
identity
provider.
So
I'm
going
to
show
you
how
this
works
with
a
human
user
that
tries
to
log
in
to
a
application
that
he
doesn't
have
authorization
to
log
into
let's
go
ahead
and
get
started.
A
A
Authenticate
now,
if
I
authenticate
correctly
you'll
see
that
kong
actually
sends
me
to
the
upstream
service
with
a
bearer
token,
and
you
can
see
the
claims
from
my
actual
user
user's
token
now
this
user
is
allowed
to
log
in
because
of
a
specific
claim
that
exists.
In
their
token,
let's
say
I
try
to
log
in
again,
but
with
a
different
user
that
doesn't
have
authorization
to
access
this
application.
Let
me
go
ahead
and
close
this
incognito
window
and
launch
another
incognito
window
and
I'm
going
to
go
to
the
same
endpoint
this
time.
A
A
So
what
did
we
just
show
you
with
open
id?
Well,
we
showed
you
that
the
kong
open
id
plugin
will
allow
you
to
govern
your
api
access
with
a
modern
authentication
and
authorization
control.
The
logic
for
this
access
control
can
be
deployed
wherever
you
have
a
lightweight
kong
node
deployed
similar
to
mtls.
You
don't
have
to
build
this
functionality
into
your
services,
so
you
can
secure
the
services
much
faster
and
you
can
add
fine-grained
attribute-based
authorization,
which
can
be
accomplished
by
a
kong
node
wherever
it's
deployed.
A
Now
that
you've
seen
how
you
can
secure
and
govern
apis
with
mtls
and
open
id
policies,
you
may
want
to
empower
your
developers
to
deploy
these
policies
themselves
using
roles
based
access
and
delegated
administrative
capabilities
to
configure
kong
using
code.
Please
check
out
the
video
on
governing
api
management
with
role-based
access
control.
Thank.