Kong gateway + OAuth2 plugin in multi region setup

Hello,

What is the recommanded deployment setup for a multi region (worldwide) Kong gateway cluster with OAuth2 plugin ?

As the OAuth2 plugin is not compatible with the Hydrid clustering approach (control plane+data plane), I only see 3 options :

  1. Single central database on which all Kong instances are connected
  2. Replicated PG database on each region with one master and some read replicas
  3. Clustered PG database (citus,…) in order to have write capability in each region

Is there other possibilities ?

Regards,

I am in the same situation as you are.
According to a kong article, the oauth2 plugin is not compatible with this hybrid cluster deployment.
The only solution I have found so far is to implement you own multi-region oauth2 auth service.

After few tests, it seems that one gateway node per region with a centralized database is the best compromise for latency/cost/complexity. If the use of the database stays low (only to create new token).

I had a discussion with a Kong solution architect who prefers using the OIDC plugin as it allows the hybrid clustering approach.
But in this case, you need to have a OAuth2 idp in your system (and manage its distribution through your regions…).
And you also need an enterprise subscription.