I am in the same situation as you are.
According to a kong article, the oauth2 plugin is not compatible with this hybrid cluster deployment.
The only solution I have found so far is to implement you own multi-region oauth2 auth service.
After few tests, it seems that one gateway node per region with a centralized database is the best compromise for latency/cost/complexity. If the use of the database stays low (only to create new token).
I had a discussion with a Kong solution architect who prefers using the OIDC plugin as it allows the hybrid clustering approach.
But in this case, you need to have a OAuth2 idp in your system (and manage its distribution through your regions…).
And you also need an enterprise subscription.
We have to first understand why oauth2 is not supported in hybrid mode. Because, only CP connects to DB and for oauth2, DP should connect to DB to create/validate tokens.
It doesn’t matter whether you want to use multi region environment, as long as you want to use oauth2, you have to use Distributed deployment approach where each kong node should act as DP and connects to DB (you have to consider disadvantages of distributed mode)
As far as concern to the DB replication due to multi region kong deployment, you can use master-master DB replication. Because any kong node from any region can create the token and store it in its region based postgres DB.
You can have a master-slave DB replication but in this case there will be extra latency when the token is created by a kong node which is not in the same region where master postgres DB resides.