You are browsing unreleased documentation.
Looking for the plugin's configuration parameters? You can find them in the Upstream OAuth configuration reference doc.
The Upstream OAuth plugin allows Kong Gateway to support OAuth flows between Kong and the upstream API.
The plugin supports storing tokens issued by the IdP in different backend formats.
How it works
The upstream OAuth2 credential flow works similarly to the client credentials grant used by the OpenID Connect plugin. If a cached access token isn’t found, Kong issues a request to the IdP token endpoint to obtain a new token, which is cached, and then passed to the upstream API via a configurable header (Authorization
by default).
sequenceDiagram autonumber participant client as Client
(e.g. mobile app) participant kong as API Gateway
(Kong) participant idp as IdP
(e.g. Keycloak) participant api as 3rd Party API activate client activate kong client->>kong: request to Kong deactivate client activate idp kong->>idp: request access token
from IdP using
client ID and client secret (if IdP auth is set) deactivate kong idp->>idp: authenticate client activate kong idp->>kong: return access token deactivate idp activate api kong->>api: request with access token
in Authorization header deactivate kong activate kong api->>kong: response deactivate api activate client kong->>client: response deactivate client deactivate kong
Authentication methods
This plugin supports the following authentication methods:
-
client_secret_basic
: Sendclient_id
andclient_secret
in anAuthorization: Basic
header -
client_secret_post
: Sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: Send a JWT signed with theclient_secret
using the client assertion as part of the body
Caching
The Upstream OAuth plugin caches tokens returned by the IdP.
Cached entries expire based on the expires_in
indicated by the IdP in the response to the token endpoint.
Tokens are cached using a hash of all values configured under the config.oauth
key.
This means that if two instances of the plugin (for example, configured on different routes and services) use identical values under the config.oauth
section,
then these will share cached tokens.
Caching strategies
The plugin supports the following caching strategies:
-
memory
: A locally storedlua_shared_dict
. The default dictionary,kong_db_cache
, is also used by other plugins and Kong Gateway elements to store unrelated database cache entities. -
redis
: Supports Redis, Redis Cluster, and Redis Sentinel deployments.