OAuth password flow implementation using Kong

I would like to start using Kong on an existing api which already used OAuth2 as authentication layer.
I want to remove the OAuth2 logic from my app and use the built-in OAuth2 plugin from Kong instead.

My app uses “password” and “client credentials” grant type.
The “client credentials” is pretty straightforward and it works pretty well with Kong in front of my app.

User => Kong => My App

But when I read the documentation about the “password” flow it’s not the same story.
The doc says my app should authenticate the user first and then call Kong to get an access token which is basically the opposite of the previous flow:

User => My App => Kong

I found this old GitHub issue which suggests to create a new endpoint such as “/login” and this endpoint will call Kong on “/oauth2/token” to get an access token.

I would like to know if it’s still the right way to implement “password” grant type with Kong?

My current app is using “/oauth/token” for both grant type (password, client_credentials) to get an access token.

Thank you.

1 Like