Here is what I do for my gateway and I consider it to be a pretty good practice(I think documentation on Kong for best practices here would be helpful some time as the default behavior I consider to be a bit ehhhh).
Step 1. Create an route of /auth with a service pointing to some dummy backend URL(it will never get called). Enable the Oauth2 plugin on this proxy with global_credentials set to true. You now have a clean endpoint like this to give to ALL clients for generating a Bearer token for their proxy services:
https://gateway.company.com/auth/oauth2/token
Step 2. Create other proxy services, and enable acl + oauth2 on them(I always set global_credentials to true here too but not sure its a necessary step, the oauth2 token endpoint against each individual proxy goes UNUSED).
What you have achieved is a standardized central endpoint that will handle ALL token generations for you(as opposed to every proxy having to have its own endpoint called which can confuse consumers), hopefully it makes life easy for yah!
-Jeremy