Plugin oauth2 with rate-limiting

Exists the possibility of to use the plugin oauth2 and the plugin rate-limiting for the path /token/oauth2? For the rate-limiting plugin to protect oauth2 of call abuse.

This may fit better into the general question forum, but as far as I know this isn’t easily doable. Authentication plugins generally execute before plugins that take action based on consumer information (such as rate-limiting): https://docs.konghq.com/2.0.x/plugin-development/custom-logic/#plugins-execution-order

Since the oauth2 token endpoints terminate the request after they return the token, the lower-priority rate-limiting plugin won’t execute.

It’s possible to proxy back to Kong by configuring one route with your oauth2 plugin as usual, and then adding a second route whose service points to the first route on the Kong proxy. You can configure rate-limiting on that second route, and it will then execute first because the request to the oauth2 route is a separate request. That should work, but adds a decent amount of configuration overhead.

1 Like