OAuth2 for Multiple Services without global credentials

I have two separate API’s that are managed by Kong.


I have followed the steps as described in the documentation to create my own login page, and configured the OAuth2 plugin for service /api-A

Tested with cUrl, Postman,… everything is great.

Now I want to also enable OAuth2 for /api-B, but I don’t want to use the ‘global credentials’. Each api should have its own tokens.

Essentially I perform the same steps as for /api-A for configuring the OAuth2 plugin. But when it comes to the login/grant permission app I’ve created, there’s a hardcoded reference to https://example.com/api-A/oauth2/authorize

In this post user jeremyjpj0916 gives the suggestion of using a separate endpoint for authentication, and using global_credentials = true. This seems like a good idea and I can see how this will work. But I don’t want to use global credentials (or should I?)

Honestly it’s not a very hard problem. I can add a dynamic parameter to my login webpage that indicates /api-A or /api-B, but is this the best practise?

Are there other/better ways to achieve the same result?


If I understood you correctly all your problems seem to come from this:

Ideally if you are using two different services with two different sets of credentials, you should be able to use two different endpoints instead of just one. The “proper” solution would be modifying the app so that it uses two endpoints instead of just one. If for some reason that is not possible, then there are a number of workarounds that you have already mentioned (like adding a parameter). But those would be that: workarounds.

Yes, that’s correct. The fact that the reference to api-A is hardcoded in the login page is the cause of my problems.

I’ll try to explain in more detail:

Essentially we have one internal database with user credentials, and we have two api’s with their associated separate services/routes.

What I want is that an external application using api-A must request a separate token than when it is using api-B, and that it won’t be able to reuse the same one. Hence the reason for setting global_credentials to false.

So currently the idea is that the external application forwards the user to my https://example.com/auth/login page. This page is now setup to make requests to https://kong/api-A/oauth2/… and the app must use the same url to obtain its access_token.

Essentially the logic in the https://example.com/auth/login page is generic and should also work for api-B. So there should be a way for https://example.com/auth/login to know if he needs to target api-A or api-B.

My easy ‘solution’ for this is to add an extra url parameter and to get:
https://example.com/auth/api-A/login and https://example.com/auth/api-B/login
These essentially just run the same code, but use the api-A and api-B parameter to target the correct service in Kong.

This works, but is this best practise?