Enable OAuth2 for Multiple Services

Let say I have two services, SERVICE_A and SERVICE_B. For each of these services, I add (enable) OAuth2 plugin so now I have 2 plugins OAuth2. For the sake of simplicity, let’s assume that the first OAuth2 plugin is OAUTH2_A and the last one is OAUTH2_B.

To test the services I created two consumers and applications. But something strange happen, If I request token using provision_key of OAUTH2_A, it works. But if I request token using provision_key of OAUTH2_B, it said “Invalid provision_key”. Any ideas why this happen?

Thank You.

To use same token to both, I suppose that you need to enable config.global_credentials=true in relevant plugin (or both of them)

1 Like

Here is what I do for my gateway and I consider it to be a pretty good practice(I think documentation on Kong for best practices here would be helpful some time as the default behavior I consider to be a bit ehhhh).

Step 1. Create an route of /auth with a service pointing to some dummy backend URL(it will never get called). Enable the Oauth2 plugin on this proxy with global_credentials set to true. You now have a clean endpoint like this to give to ALL clients for generating a Bearer token for their proxy services:

https://gateway.company.com/auth/oauth2/token

Step 2. Create other proxy services, and enable acl + oauth2 on them(I always set global_credentials to true here too but not sure its a necessary step, the oauth2 token endpoint against each individual proxy goes UNUSED).

What you have achieved is a standardized central endpoint that will handle ALL token generations for you(as opposed to every proxy having to have its own endpoint called which can confuse consumers), hopefully it makes life easy for yah!

-Jeremy

5 Likes

Thanks man. It works! :+1:

Agree with this approach, I did the same :+1:

Ah I see. One dummy URL, so every token request will go through it. Thank you for your suggestion. Really appreciate it.