Guidance on Kong plugin development - extension of oauth2 plugin (FAPI support)

We are looking into implementing an extension to the oauth2 plugin, supporting (partly) the oidc FAPI spec (see It is a key requirement for the various API banking initiatives in Europe (see UK open banking & PSD2).

F.e. we want support to add a signed JWT id_token on the /auth & /token endpoints, containing s_hash and/or rt_hash and/or at_hash claims. Other changes would be in the way the code and tokens are generated.

Would you advise modify the existing oauth2 plugin (and count on an accepted PR); or is there a way to extend the existing oauth2 plugin? Would you be interested in a contribution to the oauth2 plugin?

Hi, i’ve made custom plugin that lets you authenticate kong consumer with external oauth2 / openid connect provider.

If you think extending oauth2 plugin will take too much effort, might go with deploying dedicated openid connect provider (that will likely have higher maturity level) and use my custom plugin with it.