Kong for single point authentication and proxying

I am trying to create an API gateway using nginx. The architecture that i need is as follows:

Client (contacts the API
gateway for auth and REST
access) -----> API gateway -----> contacts multiple Microservices with each MS having its own Oauth2 authentication

So, the problem i am trying to address is that the client needs to talk to the gateway only once to get the access token(opaque token) while the gateway should do all the authentication with the Microservices on behalf of the client(The actual access token).

Is this possible to do through Kong and if so please point me to any documentation to this so that I can integrate Kong with my existing Nginx config.

Community user here,

Have not seen this pattern before honestly, can you describe the exact flow you intend to follow?

  1. Consumer (OAuth2) -> Gateway -> ( diff OAuth2) to Microservice ?

  2. Consumer -> Gateway (OAuth2) to microservice?

If 2, how will you solve identifying each consumer because that will have to play into the client_id/secret you intend the gateway to use when calling the micro-service correct, or is the “gateway” your broad client in this case, and if so what benefit are you gaining with such a pattern with a gateway in the middle? This seems like a non-performant flow at this stage and I am wondering how such requirements came about currently.

My second readover makes me think you are thinking about flow 1, which at least means you have a way to identify the consumer, you could use the new PDK (plugin dev kit) to write logic around storing backend micro service creds the gateway can use and early in the access_phase you can call that oauth token endpoint a given backend service has and then cache the token for ___ amount of time so subsequent calls from your consumer validated at the gateway use that token for ___ amount of time with a backend. The first plugin I would start with as a base code would be something like kong middle man plugin here probably: