Basic config examples for OAuth 2.0 Introspection - Plugin - v3.7.x

You are browsing documentation for an outdated plugin version.

Basic configuration examples

Enable on a service

Enable on a route

Enable globally

The following examples provide some typical configurations for enabling the oauth2-introspection plugin on a .

Kong Admin API

Konnect API

Kubernetes

Declarative (YAML)

Konnect Terraform

Make the following request:

curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "oauth2-introspection",
  "config": {
    "introspection_url": "https://example-url.com",
    "authorization_value": "Basic MG9hNWlpbjpPcGVuU2VzYW1l",
    "consumer_by": "username"
  }
}
    '

Replace SERVICE_NAME|ID with the id or name of the service that this plugin configuration will target.

Make the following request, substituting your own access token, region, control plane ID, and service ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"oauth2-introspection","config":{"introspection_url":"https://example-url.com","authorization_value":"Basic MG9hNWlpbjpPcGVuU2VzYW1l","consumer_by":"username"}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oauth2-introspection-example
plugin: oauth2-introspection
config:
  introspection_url: https://example-url.com
  authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
  consumer_by: username
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the service as follows:

kubectl annotate service SERVICE_NAME konghq.com/plugins=oauth2-introspection-example

Replace SERVICE_NAME with the name of the service that this plugin configuration will target. You can see your available ingresses by running kubectl get service.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: oauth2-introspection
  service: SERVICE_NAME|ID
  config:
    introspection_url: https://example-url.com
    authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
    consumer_by: username

Replace SERVICE_NAME|ID with the id or name of the service that this plugin configuration will target.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = "https://example-url.com"
    authorization_value = "Basic MG9hNWlpbjpPcGVuU2VzYW1l"
    consumer_by = "username"
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

The following examples provide some typical configurations for enabling the oauth2-introspection plugin on a .

Kong Admin API

Konnect API

Kubernetes

Declarative (YAML)

Konnect Terraform

Make the following request:

curl -X POST http://localhost:8001/routes/{routeName|Id}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "oauth2-introspection",
  "config": {
    "introspection_url": "https://example-url.com",
    "authorization_value": "Basic MG9hNWlpbjpPcGVuU2VzYW1l",
    "consumer_by": "username"
  }
}
    '

Replace ROUTE_NAME|ID with the id or name of the route that this plugin configuration will target.

Make the following request, substituting your own access token, region, control plane ID, and route ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"oauth2-introspection","config":{"introspection_url":"https://example-url.com","authorization_value":"Basic MG9hNWlpbjpPcGVuU2VzYW1l","consumer_by":"username"}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: oauth2-introspection-example
plugin: oauth2-introspection
config:
  introspection_url: https://example-url.com
  authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
  consumer_by: username
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the ingress as follows:

kubectl annotate ingress INGRESS_NAME konghq.com/plugins=oauth2-introspection-example

Replace INGRESS_NAME with the name of the ingress that this plugin configuration will target. You can see your available ingresses by running kubectl get ingress.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: oauth2-introspection
  route: ROUTE_NAME|ID
  config:
    introspection_url: https://example-url.com
    authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
    consumer_by: username

Replace ROUTE_NAME|ID with the id or name of the route that this plugin configuration will target.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = "https://example-url.com"
    authorization_value = "Basic MG9hNWlpbjpPcGVuU2VzYW1l"
    consumer_by = "username"
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

A plugin which is not associated to any service, route, consumer, or consumer group is considered global, and will be run on every request.

In self-managed Kong Gateway Enterprise, the plugin applies to every entity in a given workspace.
In self-managed Kong Gateway (OSS), the plugin applies to your entire environment.
In Konnect, the plugin applies to every entity in a given control plane.

Read the and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the OAuth 2.0 Introspection plugin globally.

Kong Admin API

Konnect API

Kubernetes

Declarative (YAML)

Konnect Terraform

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
  "name": "oauth2-introspection",
  "config": {
    "introspection_url": "https://example-url.com",
    "authorization_value": "Basic MG9hNWlpbjpPcGVuU2VzYW1l",
    "consumer_by": "username"
  }
}
    '

Make the following request, substituting your own access token, region, and control plane ID:

curl -X POST \
https://{us|eu}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"name":"oauth2-introspection","config":{"introspection_url":"https://example-url.com","authorization_value":"Basic MG9hNWlpbjpPcGVuU2VzYW1l","consumer_by":"username"}}'

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-oauth2-introspection>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  introspection_url: https://example-url.com
  authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
  consumer_by: username
plugin: oauth2-introspection

Add a plugins entry in the declarative configuration file:

plugins:
- name: oauth2-introspection
  config:
    introspection_url: https://example-url.com
    authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l
    consumer_by: username

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "kpat_YOUR_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_oauth2_introspection" "my_oauth2_introspection" {
  enabled = true

  config = {
    introspection_url = "https://example-url.com"
    authorization_value = "Basic MG9hNWlpbjpPcGVuU2VzYW1l"
    consumer_by = "username"
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Previous OAuth 2.0 Introspection Configuration

Next OAuth 2.0 Introspection Changelog