Add OAuth 2.0 Authentication plugin under a Consumer


I am running following curl to add the OAuth2 Authentication plugin under a service and it works as expected:
curl -X POST http://localhost:8001/routes/my-oauth-route/plugins --data "name=oauth2" --data "config.scopes[]=read,write" --data "config.mandatory_scope=true" --data "config.enable_password_grant=true" --data "config.accept_http_if_already_terminated=true" --data "config.token_expiration=0" --data "config.global_credentials=true"

this gave me provision_key in the JSON response.

However when I try to add the plugin under service (without adding it anywhere else). it gives me error:
curl -X POST http://localhost:8001/consumers/<consumer-id>/plugins --data "name=oauth2" --data "config.scopes[]=read,write" --data "config.mandatory_scope=true" --data "config.enable_password_grant=true" --data "config.accept_http_if_already_terminated=true" --data "config.token_expiration=0" --data "config.global_credentials=true"

This gave me:
{"message":"schema violation (consumer: value must be null)","name":"schema violation","fields":{"consumer":"value must be null"},"code":2}

Can you suggest how can I add the OAuth 2. plugin under a consumer?

Creating an “application” to a consumer with OAuth2:

I already have an “application/credential” for OAuth2.
I believe the problem is OAuth2 plugin cannot be added under a consumer - when I try to add the OAuth2 plugin using Konga GUI, it is not in the list for consumer.

In OAuth2 consumers have credentials/secrets. The OAuth2 plugin itself only goes on services/routes as a means for saying “I want OAuth2 protection on my proxy”. Then the Kong ACL plugin is used to ensure consumers that generate a token with their creds are authorized to a service/route when passing the Authorization: Bearer token header.

Thanks for the quick response Jeremy.

I wanted to add OAuth2 for specific routes attached with ‘OAuth2’ consumers as we have two separate groups of APIs to support (Basic Auth and OAuth 2.0).

I have found a work around where now I am creating two separate services pointing to the same upstream however one service has Basic Auth plugin and the other have OAuth 2.0. And I am adding the Routes/API under appropriate service.