By Marone: June 2020

Secure API with Kong
OAuth2 Authentication plugin

kong brand logo


After seeing how to run and setup kong in the previous article, now we will try to protect the provided API.
The API should be restricted and only avaiabable for authenticated caller. The API is stateless and each request should have some sort of information which must be verfified on Kong.

Used technologies

Kong Gateway v2.x
Docker 19.x (Running on Windows)
Curl 7.65

Enabling the oauth2 plugin

The OAuth 2.0 Authentication is assigned to the service my-api. We enable client_credentials as grant_type
Please keep the value of provision_key, this will be needed to obtain access token.

Check the API

Now the API are restricted and requires a access token

Add Consumer

We need a consumer who can access the API, the consumer in this case acts as a service.

Create Application

We need a OAuth 2.0 credentials which should be associated to the consumer consumer1234
The application name must be set.
Because we dont specify our own client_id and client_secret kong will generate these for us.

Obtain AccessToken

Note! As per the OAuth2 specs, this plugin requires the underlying service to be served over HTTPS. So we call the token endpoint over HTTPS.
Now the client can send this token in the Authorization header to access the protected API.

Call API with AccessToken