By Marone: June 2020
GoalAfter seeing how to run and setup kong in the previous article, now we will try to protect the provided API.
The API should be restricted and only avaiabable for authenticated caller. The API is stateless and each request should have some sort of information wich must be verfified on Kong.
Used technologiesKong Gateway v2.x
Docker 19.x (Runing on Windows)
Enabling the oauth2 pluginResponse:
The OAuth 2.0 Authentication is assigned to the service
my-api. We enable client_credentials as grant_type
Please keep the value of provision_key, this will be needed to obtain access token.
Check the API
Now the API are restricted and requires a access token
Add ConsumerWe need a consumer who can access the API, the consumer in this case acts as a service.
Create ApplicationWe need a OAuth 2.0 credentials which should be associated to the consumer consumer1234
The application name must be set.
Beacuse we dont specify our own
client_secretkong will generate these for us.
Note! As per the OAuth2 specs, this plugin requires the underlying service to be served over HTTPS. So we call the token endpoint over HTTPS.Response:
Now the client can send this token in the
Authorization headerto access the protected API.