oAuth2 token validation at the gateway level, Possible?

I’m trying to architect a solution to protect a few of our internal data services. To do that I want to put Kong in the middle of the mix in order add an extra layer of security. In this case an external entity will be calling our service, they authenticate with oAuth2 and will be managing it all that on their side. What I would like to be able to do it to reject their call if they don’t have a valid set of tokens. In reading, it would seem that Kong can’t do that out of the box. Is there a plugin that would handle this kind of validation or will we have to develop something to handle this? Just an FYI the backend is NodeJS.


If tokens are signed with public keys (or even shared secret), you can verify the signature with, e.g.: https://docs.konghq.com/hub/kong-inc/jwt/

If your tokens are opaque, you can check them against introspection endpoint, if such is available.

Kong Enterprise comes with OpenID Connect Plugin that can also do this, and more. There are other 3rd party plugins such as:

And there are other projects too.

Thanks!! This looks like it will be feasible and thanks for the links. I had looked a Kong Enterprise but our project is so small there just wasn’t room in the budget for that kind of investment.