I have an upstream API behind OAuth so have to deal with refresh/access token dance. as far as I can tell the OAuth plugin is not available in Konnect: OAuth 2.0 Authentication plugin | Kong Docs
any plans around that? is there any other solution I could use to run that 3rd party API protected by OAuth 2 past Kong Konnect?
(in my experience OAuth is not the best way to secure cloud to cloud APIs but that’s a hard limit by the 3rd party and for another discussion)
Hi @dmudro - just to clarify.
You have an existing upstream API (3rd party) that is secured by an existing OAuth2.0 server (also 3rd party?). You want to have a Kong Gateway setup to accept incoming API requests (without any auth?) and proxy them to the upstream API (which requires the gateway to have a token locally?).
Or will your API clients have the token and you just need kong gateway to verify them? If that’s the case, OAuth 2.0 Introspection plugin | Kong Docs (which is supported by Konnect) would be the right plugin.
the background here is that I have a server to server connection i. e. my backend app to 3rd party communicating via REST. the external API is behind their own OAuth protocol and I have to manage short lived access tokens myself meaning invoking refresh token flow whenever the access token TTL expires.
so this isn’t a traditional OAuth flow involving authorisation of the end client and the whole case would have been avoided if I could use a long lived token with the 3rd party, i. e. an API key.
while exploring Kong, it crossed my mind to proxy the API calls through an API gateway and use it to manage tokens within the OAuth flow on top of other use cases in my app and APIs. though I appreciate this might not be exactly what Kong / Konnect is for(?).
I’m told this is something that’s done fairly often, but it’s not straight forward to do out of the box.
Some quick googling, GitHub - enioka-Haute-Couture/kong-plugin-upstream-oauth2: A Kong plugin to negotiate oauth2 authentication with upstream services might be a plugin you can leverage. Alternatively, you could use Request Transformer plugin | Kong Docs to inject the appropriate access tokens.
Hope that helps!