OAuth2 introspection of kong token

Hi All,

I did not found the feature for OAuth2 introspection. I am expecting an introspect URL from kong to verify the token issued by kong from a third party services and consume those services if it has proper permission to do that.

For example if I want to allow my services to work with Google OAuth2 token I will use their introspect URL to verify it and fetch additional data associated to it. Is there any similar is there as external plugin or will it come in future?

Thank you,

Shiva, Oauth 2 Introspection plugin is already available as a kong plugin. https://getkong.org/plugins/ee-oauth2-introspection/ but only for enterprise users.
I don’t think they are going to release it to public.
You can write your own custom plugin to do the job.

Thanks for your reply, that plugin will only enable us to authorize tokens of other authorization server, I want to authorize token of kong itself from different server like other remote gateway node. Will it support that?

Thanks

You could do something like this:

  1. Add API e.g. /introspect in Kong
  2. Add OAuth 2.0 plugin to that API
  3. Add request termination plugin with 200 status code and { active = true } response body to that same API
  4. Call /introspect from that remote gateway with Kong OAuth 2.0 issued token, and check that it is verified (e.g. you get back 200 and not 401/403)
1 Like

Shiva, now I get it. Sorry for the misunderstanding. If you are looking for an implementation of rfc7662 (Oauth introspection) by Kong. It is not available till date.
An issue was raised long back and is still in open state.