Looking for the plugin's configuration parameters? You can find them in the Upstream OAuth configuration reference doc.
The Upstream OAuth plugin allows Kong Gateway to support OAuth flows between Kong and the upstream API.
The plugin supports storing tokens issued by the IdP in different backend formats.
How it works
The upstream OAuth2 credential flow works similarly to the client credentials grant used by the OpenID Connect plugin. If a cached access token isn’t found, Kong issues a request to the IdP token endpoint to obtain a new token, which is cached, and then passed to the upstream API via a configurable header (Authorization
by default).
Authentication methods
This plugin supports the following authentication methods:
-
client_secret_basic
: Sendclient_id
andclient_secret
in anAuthorization: Basic
header -
client_secret_post
: Sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: Send a JWT signed with theclient_secret
using the client assertion as part of the body
Caching
The Upstream OAuth plugin caches tokens returned by the IdP.
Cached entries expire based on the expires_in
indicated by the IdP in the response to the token endpoint.
Tokens are cached using a hash of all values configured under the config.oauth
key.
This means that if two instances of the plugin (for example, configured on different routes and services) use identical values under the config.oauth
section,
then these will share cached tokens.
Caching strategies
The plugin supports the following caching strategies:
-
memory
: A locally storedlua_shared_dict
. The default dictionary,kong_db_cache
, is also used by other plugins and Kong Gateway elements to store unrelated database cache entities. -
redis
: Supports Redis, Redis Cluster, and Redis Sentinel deployments.