When we use OAuth 2.0 plugin then Kong exposes token URL for each service for eg. /service-path/oauth2/token. In this way there will be a different OAuth URL for each service and also consumer will get separate token for each service.
Is there a way to have a single OAuth URL exposed via Kong for all the services? Individual service access can be controlled via ACL plugin or using scopes.
In this way consumers does not have to maintain token for each service. They need to get a single token and with that they should be able to call the services for which they have access to.
You can’t exactly create a single URL due to the way the plugin implementation works (it basically adds handlers to intercept token generation requests for any route it’s enabled on), but there’s configuration that can sort of approximate it.
The plugin includes a global_credentials setting that allows it to share tokens with any other oauth2 instance that also has global_credentials set to true. Using that, you can create several instances of the plugin that all recognize each others’ tokens.
With that, you can designate some route’s instance as the standard token provisioning route and instruct clients to interact with it. The other instances’ URLs will still be available, but you can ignore their existence if you wish.
2 Likes
Thanks @traines for the response. It worked as you suggested.
Also I see the OAuth 2.0 plugin documentation has mentioned to enable plugin on a service and globally. There is no documentation for adding this on route.
Is this plugin not recommended to be used for routes?
Weird–it should be fine for routes. Consumers are usually the only thing you can’t use for auth plugins.
In my previous post, the routes in question weren’t literally routes with the plugins configured, but rather routes attached to the services with it configured (since the services don’t have URLs of their own to serve the token endpoints on).