The Upstream OAuth plugin allows Kong Gateway to support OAuth flows between Kong Gateway and the upstream API.
The plugin supports storing tokens issued by the IdP in different backend formats.
Upstream OAuth
Related Documentation
Made by
Kong Inc.
Supported Gateway Topologies
hybrid
db-less
traditional
Supported Konnect Deployments
hybrid
cloud-gateways
serverless
Compatible Protocols
grpc
grpcs
http
https
Minimum Version
Kong Gateway - 3.8
Tags
How it works
The upstream OAuth2 credential flow works similarly to the client credentials grant used by the OpenID Connect plugin. If a cached access token isn’t found, Kong Gateway issues a request to the IdP token endpoint to obtain a new token, which is cached, and then passed to the upstream API via a configurable header (Authorization by default).
Authentication methods
This plugin supports the following authentication methods:
-
client_secret_basic: Sendclient_idandclient_secretin anAuthorization: Basicheader -
client_secret_post: Sendclient_idandclient_secretas part of the body -
client_secret_jwt: Send a JWT signed with theclient_secretusing the client assertion as part of the body
Caching
The Upstream OAuth plugin caches tokens returned by the IdP.
Cached entries expire based on the expires_in indicated by the IdP in the response to the token endpoint.
Tokens are cached using a hash of all values configured under the config.oauth key.
This means that if two instances of the plugin (for example, configured on different Routes and Gateway Services) use identical values under the config.oauth section,
then these will share cached tokens.
Caching strategies
The plugin supports the following caching strategies:
-
memory: A locally storedlua_shared_dict. The default dictionary,kong_db_cache, is also used by other plugins and Kong Gateway elements to store unrelated database cache entities. -
redis: Supports Redis, Redis Cluster, and Redis Sentinel deployments.