Kong API Gateway is one of the most popular API gateways on the market right now. I’ve covered how to deployed Kong with Traefik in my previous post. I am going to cove how to use Kong Oauth2 plugin in today’s post. There are a lot of articles on the internet and most of them talks too much about the concept of oauth2. In today’s post, I will leave the concept behind and focus on using the plugin.
Prerequisites:
Kong installed with database. Oauth2 plugin does not work in dbless or hybrid mode.
Access to Kong Admin API, in our demo, my admin api listens at default port 8001.
Basic understanding of each oauth2 grant flow.
Prepare Kong
In today’s demo, I am running Kong Gateway (OSS) version 2.3.2. I will post each curl request and its JSON response to give you an idea what it looks like.
Create service
Define a service object in kong and use your api server as upstream. In our example, I will use httpbin.
Now we can access this service with curl localhost:8000/demo
Enable Oauth2 Plugin
This plugin will be enabled on the service and I am also using my own provision_key . If you don’t define this parameter, kong will generate one for you. I am also enabling all 4 grants for the demonstration purposes. You should only enable the grant that you will use.
Now we can add Oauth2 credentials on this consumer object. I will also use my own client_id and client_secret for this demo. Leave it as blank if you want Kong to generate these values for you.
Please do not include hash_secret=true if you use Kong to generate the client_secret for you.
We need to first make an request at https://localhost:8443/demo/oauth2/authorize to get an authorization code. Then we can request access token at https://localhost:8443/demo/oauth2/token with the authorized code we got in the first call.
You might never want to use this flow for security reasons. You can read more at this okta blog. This flow only requires sending the client ID to authorization server to get an access token at https://localhost:8443/demo/oauth2/authorize.
This flow is mainly used for machine to machine. Hence it only returns an access token and your client must request a new token at https://localhost:8443/demo/oauth2/token when the old one expired.
Use this flow ONLY when you have an ID verification in the front. You need to provide an authenticated user id to Kong to get an access token and refresh token.
For authorization code grant, You can include PKCE in the flow.
Generate Verifier and Challenge
Normally you should build your own tool to generate verifier and challenge on the fly. For demonstration purpose, I will use https://tonyxu-io.github.io/pkce-generator/ to generate these values.
As you can see in the examples, authorization_code and password grant returns a refresh_token to use. Once we’ve got the refrshed token, we can use refresh_token grant to get a new access token.
I’ve also made a simple php application to do all these flows for you. You can get this image at https://hub.docker.com/r/fomm/kong-oauth2-demo. What you need to do is to
1
docker run -d -p 8080:80 fomm/kong-oauth2-demo
Then you can open your browser and access the tool at localhost:8080.
That’s all for today. If you have any Kong related issues (plugin usage, deployment methods) you want me to cover, please leave your comments down below.