Kong Enterprise only: This plugin is only available with a Kong Enterprise subscription.
Please inquire about Kong Enterprise by contacting us - or start a free trial today.

Validate access tokens sent by developers using a third-party OAuth 2.0 Authorization Server, by leveraging its Introspection Endpoint (RFC 7662). This plugin assumes that the Consumer already has an access token that will be validated against a third-party OAuth 2.0 server.


Terminology

  • plugin: a plugin executing actions inside Kong before or after a request has been proxied to the upstream API.
  • Service: the Kong entity representing an external upstream API or microservice.
  • Route: the Kong entity representing a way to map downstream requests to upstream services.
  • Consumer: the Kong entity representing a developer or machine using the API. When using Kong, a Consumer only communicates with Kong which proxies every call to the said upstream API.
  • Credential: a unique string associated with a Consumer, also referred to as an API key.
  • upstream service: this refers to your own API/service sitting behind Kong, to which client requests are forwarded.
  • API: a legacy entity used to represent your upstream services. Deprecated in favor of Services since CE 0.13.0 and EE 0.32.

Configuration

Enabling the plugin on a Service

Configure this plugin on a Service by making the following request:

$ curl -X POST http://kong:8001/services/{service}/plugins \
    --data "name=oauth2-introspection" 

  • service: the id or name of the Service that this plugin configuration will target.

Enabling the plugin on a Route

Configure this plugin on a Route with:

$ curl -X POST http://kong:8001/routes/{route_id}/plugins \
    --data "name=oauth2-introspection" 

  • route_id: the id of the Route that this plugin configuration will target.

Enabling the plugin on a Consumer

You can use the http://localhost:8001/plugins endpoint to enable this plugin on specific Consumers:

$ curl -X POST http://kong:8001/plugins \
    --data "name=oauth2-introspection" \
    --data "consumer_id={consumer_id}" 

Where consumer_id is the id of the Consumer we want to associate with this plugin.

You can combine consumer_id and service_id

in the same request, to furthermore narrow the scope of the plugin.

Enabling the plugin on an API

If you are using an older version of Kong with the legacy API entity (deprecated in favor of Services since CE 0.13.0 and EE 0.32.), you can configure this plugin on top of such an API by making the following request:

$ curl -X POST http://kong:8001/apis/{api}/plugins \
    --data "name=oauth2-introspection" 

  • api: either id or name of the API that this plugin configuration will target.

Global plugins

All plugins can be configured using the http://kong:8001/plugins/ endpoint. A plugin which is not associated to any Service, Route or Consumer (or API, if you are using an older version of Kong) is considered "global", and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

form parameterdefaultdescription
nameThe name of the plugin to use, in this case oauth2-introspection
service_idThe id of the Service which this plugin will target.
route_idThe id of the Route which this plugin will target.
enabledtrueWhether this plugin will be applied.
consumer_idThe id of the Consumer which this plugin will target.
api_idThe id of the API which this plugin will target. Note: The API Entity is deprecated in favor of Services since CE 0.13.0 and EE 0.32.
config.introspection_url

The full URL to the third-party introspection endpoint

config.authorization_value

The value to append to the Authorization header when requesting the introspection endpoint

config.token_type_hint
optional

The token_type_hint value to associate to introspection requests

config.ttl
optional

60

The TTL in seconds for the introspection response - set to 0 to disable the expiration

config.hide_credentials
optional

An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.

config.timeout
optional

10000

An optional timeout in milliseconds when sending data to the upstream server

config.keepalive
optional

60000

An optional value in milliseconds that defines for how long an idle connection will live before being closed

config.anonymous
optional

An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure 4xx.

config.run_on_preflight
optional

true

A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false then OPTIONS requests will always be allowed.

Flow

OAuth2 Introspection Flow

Associate the response to a Consumer

To associate the introspection response resolution to a Kong Consumer, you will have to provision a Kong Consumer with the same username returned by the Introspection Endpoint response.

Upstream Headers

When a client has been authenticated, the plugin will append some headers to the request before proxying it to the upstream API/Microservice, so that you can identify the consumer in your code:

  • X-Consumer-ID, the ID of the Consumer on Kong (if matched)
  • X-Consumer-Custom-ID, the custom_id of the Consumer (if matched and if existing)
  • X-Consumer-Username, the username of the Consumer (if matched and if existing)
  • X-Anonymous-Consumer, will be set to true when authentication failed, and the ‘anonymous’ consumer was set instead.
  • X-Credential-Scope, as returned by the Introspection response (if any)
  • X-Credential-Client-ID, as returned by the Introspection response (if any)
  • X-Credential-Username, as returned by the Introspection response (if any)
  • X-Credential-Token-Type, as returned by the Introspection response (if any)
  • X-Credential-Exp, as returned by the Introspection response (if any)
  • X-Credential-Iat, as returned by the Introspection response (if any)
  • X-Credential-Nbf, as returned by the Introspection response (if any)
  • X-Credential-Sub, as returned by the Introspection response (if any)
  • X-Credential-Aud, as returned by the Introspection response (if any)
  • X-Credential-Iss, as returned by the Introspection response (if any)
  • X-Credential-Jti, as returned by the Introspection response (if any)

Note: Aforementioned X-Credential-* headers are not set when authentication failed, and the ‘anonymous’ consumer was set instead.