Client_Credentials for all API´s


#1

Hi,

What is the recommendation to have Client_Credentials for all of my api´s. There´s a lot of plugins but in my case, for now, i only need OAUTH2.0 with client_credentials flow.

I understand that the best choice (IMHO) is to federate KONG through an IDP, but in that case, we need to use Enterprise Version, but for the open source, what would be the better approach?

Another thing, i don´t want to use the Consumers Entity to do that


#2

You can always write a custom plugin to hook into your IDP for that oauth2 introspection logic much like the enterprise edition plugin does. Thats the beauty of open source :slight_smile: . I recommend studying existing kong plugins and learning how to make http calls in lua and take a crack at it. I would check here for some IDP like inspiration: https://github.com/nokia/kong-oidc/


#3

Yes, Im looking at this plugin now. Do you now if its is possible use Kong Community and buy kong oidc plugin only?


#4

Would be an interesting business model for them to start selling by the “plugin”, but would be hard to manage too because if they don’t use an encryption engine to prevent redistribution of the plugins then people would share the source after the fact. Could do it with a neat environment variable secret thing that unlocks encrypted plugin code if they ever did want to do that model. But that is not possible to my understanding today, enterprise customers get access to enterprise plugins. Community users have to build it themselves if they want such functionality.


#5

Hi,

Thanks for the help.

I already have an environment with kong and oidc plugin, but how can i get the client_credentials flow?
The plugin should request identity with grant_type client_credentials