so we trying to build a new application and we are welling to adopt a microservices based architecture.
The problem is that the application will be exposed to our final end users via a web based GUI (web app) that consumes those services (microservices) , so we are trying to find 'is it worth it to implement a an API gateway such as Kong in front of our micro APIs or it will be better to consume those APIs directly by the web app" ?
Our second question is, “let’s say we decided to go with the first approach (with gateway) and we choosed to use kong as solution, would it be possible to implement a session based authentication with the available plugins?”, so basically the question is "how to implement sessions in kong authentications ?
For a webapp backed by micro services I would recommend looking into the OpenID connect flow. Users authenticate from the portal UI to an identity provider, then gateway recieves that token and validates and forwards relevant userInfo along to backend api providers for further validations on IF that user should have access.
Then check out this plugin for integrating it in open source Kong:
Kong also offers an Enterprise OpenID Connect plugin as well:
This is my answer for how to best implement “sessions” through Kong.