Currently when using oauth2 plugin with authorization code or implicit grant, a consumer application needs to redirect their user to an authorization url that is directly provided by api’s owner without going through kong first. After that, the service that handle the authorization url and provide login page, needs to do the request validation by itself. I personally think that this might lead to incomplete/invalid implementation of oauth2 since the service might do the validation wrong.
My suggestion is kong should handle the authorization url by first validating the request and only redirect to the login page if the request is valid (lesser work at the service). This suggestion was based on how oryd/hydra provide oauth2 security mechanism.
This also means that no more external service to store the information of oauth2 authorization url (just like oauth2 token endpoint which is standardized to /oauth2/token in a route). It might not be a generic use case, but in my project, we use plugins information of a route to inject swagger security definition to a swagger document (managed outside of kong) of an exposed api to minimize human error on maintaining correct swagger definition.