Enable the OAuth 2.0 Authentication plugin, then create a Consumer and an application using the /consumers/$CONSUMER/oauth2 API. Send a request to the /$ROUTE_PATH/oauth/token with the client credentials to generate a token.
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA
Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
Run the following command:
echo '
_format_version: "3.0"
services:
- name: example-service
url: http://httpbin.konghq.com/anything
routes:
- name: example-route
paths:
- "/anything"
service:
name: example-service
' | deck gateway apply -
To learn more about entities, you can read our entities documentation.
Use uuidgen to generate a provision key for the OAuth 2.0 Authentication plugin:
export DECK_PROVISION_KEY=$(uuidgen)
Enable the OAuth 2.0 Authentication plugin on the Gateway Service we created in the prerequisites.
echo '
_format_version: "3.0"
plugins:
- name: oauth2
service: example-service
config:
scopes:
- email
- profile
global_credentials: true
provision_key: "${{ env "DECK_PROVISION_KEY" }}"
enable_client_credentials: true
' | deck gateway apply -
Consumers let you identify the client that’s interacting with Kong Gateway. Create a new Consumer with just a username:
echo '
_format_version: "3.0"
consumers:
- username: alex
' | deck gateway apply -
Create an application for the Consumer:
curl -X POST "http://localhost:8001/consumers/alex/oauth2" \
-H "Accept: application/json"\
-H "Content-Type: application/json" \
--json '{
"name": "TestApp",
"redirect_uris": [
"http://localhost:8000/anything"
]
}'
Export the autogenerated client ID and client secret to environment variables:
export CLIENT_ID={client_id}
export CLIENT_SECRET={client_secret}
Use the applications’s client credentials to generate a token:
curl -X POST "https://localhost:8443/anything/oauth2/token" \
--header "Content-Type: application/json" \
--json '{
"client_id": "'$CLIENT_ID'",
"client_secret": "'$CLIENT_SECRET'",
"grant_type": "client_credentials"
}'
Export the token to an environment variable:
export TOKEN={access_token}
To validate that the configuration works as expected, send a request to the /anything Route using the token we generated:
curl "http://localhost:8000/anything" \
-H "Authorization: Bearer $TOKEN"
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Can I integrate the Kong OAuth2 token flow with OpenID Connect?
Yes, you can use the Kong OAuth2 plugin with OpenID Connect. This lets you use tokens generated by Kong Gateway to authenticate with an IdP.
Learn more about the Kong OAuth2 token flow, or see the how-to guide on configuring OIDC with Kong Oauth2 token authentication.