How to add Authorization header to upstream service (oauth)?

I have an upstream API which requires oauth authentication. Ideally, this is managed by Kong (or a plugin), so that when an authorised request is made to the API Gateway, this is automatically forwarded onto the service and the upstream service auth is handled by Kong. What is the correct pattern to perform this?

Do I invoke a serverless function to intercept the incoming request, perform some logic to request a token or pass a refresh token (and store it somewhere) and then pass the Authorization header on to the upstream service?