Masquerading oauth2 password authentication


#1

Hi all,

I’m trying to create a kong service that will hide an existing API for a product that we did not develop ourselves. That API uses oauth2 with a client ID, client secret and a user’s username and password. The basic idea of what I’m trying to accomplish is to force end users to use Kong rather than talking directly to the API, by not publishing any client IDs and secrets for the original API.

I would like to have Kong hide that API’s client ID and secret, and insert it automatically when passing the access token request to the API. Is that something that any existing Kong plugins can do? I’d also be open to using the oauth2 plugin and give the end users a different client id and secret to use with Kong. In fact, that would be better because I would not want the end user to receive the original bearer token either. But, can Kong cache a bearer token and insert it in the requests towards to API, handle token refreshes, etc?


#2

If you want to inject a static body parameter/header/querystring parameter have you tried with the Request Transformer plugins?


#3

@thefosk I have not. I had assumed that, since the transformations are added at plugin configuration time, that it was meant more for static values, not dynamics ones like a bearer token would be.

Is there a way to dynamically reconfigure plugins in Kong? (e.g. trigger a change of the plugin configuration each time the upstream token is refreshed?)


#4

I see. You are correct, Request Transformation are static transformations and not dynamic. For a dynamic transformation, you will need to create a plugin that does that.