im not sure Kong supports mtls or cert pinning. https://github.com/Kong/kong/issues/2048

i dont think it's able to hash your secret tokens either - rather stores them in plaintext. https://github.com/Kong/kong/issues/1237

this kind of rules Kong out for any serious applications AFAIK - especially considering that an API Gateway is supposed to be a security product.

istio, tyk, traefik support that out of box.

Marco, CTO of Kong here. Static mTLS has been supported since 3 years almost, while dynamic mTLS is being supported with Kong 1.0 (required for Service Mesh). Kong itself has been used in highly regulated industries, including financial, healthcare and governmental (including military branches) institutions.

When it comes to enforcing strong security OpenID Connect or JWT authentications are almost always better options. Since Kong is built on top of NGINX, anything NGINX supports by extension Kong also supports + Kong Plugins.

Thanks for response. Please correct me if I am wrong - I'm making a few deductions / assumptions based on previous research evaluating OS gateways.

MTLS & Cert Pinning: It looks like GH is out of date? Could you send me a link to the docs for configuring kong + mtls please?

I am sure that kong is deployed in highly regulated industries. Are they using open src version of the product? regardless of whether they are using paid or open src - are they using Kong for user/identity management or a 3rd party service and hooking that in with OIDC?

OIDC/JWT: yes i agree that these options are typically a better but that means I need 3rd party IdP to issue tokens, rather than Kong handling user/token mgmt? My understanding is that Kong does not issue JWTs, simply validates the signature?

OIDC support to my understanding is only avail in Enterprise version rather than CE version? So that means I need community plugin if I want OIDC - and this community plugin will not be supported by Kong?

With JWT - i believe Kong simply validates the signature using the Public Key / Shared Secret. Are these secrets stored encrypted / securely within Kong?

If I simply wanted Kong to handle my user mgmt whether basic auth / api key or I had a legacy system which still required support, then I would need to accept the fact that Kong will store credentials such as usernames / passwords in plaintext?

> Kong itself has been used in highly regulated industries,

Was it used in any application that actually was covered by any regulation enforcing authentication and authorization to the point that kong could directly determine if an implementation does or does not comply with the regulation?

Or was it simply used in highly regulated industries like car stickers are used in the highly regulated auto industry?

> Was it used in any application that actually was covered by any regulation enforcing authentication and authorization to the point that kong could directly determine if an implementation does or does not comply with the regulation?

Yes. Kong Enterprise running on the execution path of in-flight information across distributed and open systems must be audited in the context of enforced regulations, especially banking and healthcare. We do work regularly with our customers to make sure Kong is compliant within their specific use-case and make those audits successful.