I’m trying to create a kong service that will hide an existing API for a product that we did not develop ourselves. That API uses oauth2 with a client ID, client secret and a user’s username and password. The basic idea of what I’m trying to accomplish is to force end users to use Kong rather than talking directly to the API, by not publishing any client IDs and secrets for the original API.
I would like to have Kong hide that API’s client ID and secret, and insert it automatically when passing the access token request to the API. Is that something that any existing Kong plugins can do? I’d also be open to using the oauth2 plugin and give the end users a different client id and secret to use with Kong. In fact, that would be better because I would not want the end user to receive the original bearer token either. But, can Kong cache a bearer token and insert it in the requests towards to API, handle token refreshes, etc?