OAuth 2.0 Authentication

Overview Get started Configuration reference Changelog API reference

Upstream headers

When a client has been authenticated, the plugin appends some headers to the request before proxying it to the upstream service, so that you can identify the Consumer in your code:

X-Consumer-ID: The ID of the Consumer in Kong Gateway.
X-Consumer-Custom-ID: The custom_id of the Consumer (if set).
X-Consumer-Username: The username of the Consumer (if set).
X-Credential-Identifier: The identifier of the credential (only if the Consumer is not the anonymous Consumer).
X-Anonymous-Consumer: Is set to true if authentication fails, and the anonymous Consumer is set instead.
X-Authenticated-Scope: The comma-separated list of scopes that the end user has authenticated, if available (only if the Consumer is not the ‘anonymous’ Consumer).
X-Authenticated-Userid: The logged-in user ID who has granted permission to the client (only if the Consumer is not the ‘anonymous’ Consumer).

You can use this information on your side to implement additional logic. You can use the X-Consumer-ID value to query the Admin API and retrieve more information about the Consumer.

OAuth 2.0 flows

The OAuth2 plugin can run in one of two flows: client credentials or authorization code.

The client credentials flow works out of the box, without building any authorization page. The clients need to use the /oauth2/token endpoint to request an access token. For more details, see Enable OAuth 2.0 authentication with Kong Gateway.

Authorization code

The authorization code flow requires a few extra setup steps. After provisioning Consumers and associating OAuth 2.0 credentials to them, you must also:

Implement an authorization page on your web application.
Provide internal documentation on how to consume your OAuth 2.0 protected services, so that developers accessing your Service know how to build their client implementations.

How the Authorization Code flow works

Building the authorization page is the primary task that the plugin itself can’t do out of the box, because it requires checking that the user is properly logged in, and this operation is strongly tied with your authentication implementation.

The authorization page is made up of two parts:

The frontend page that the user sees, and that allows them to authorize the client application to access their data.
The backend that processes the HTML form displayed in the frontend. This backend connects with the OAuth 2.0 plugin in Kong Gateway and redirects the user to a third party URL.

You can see a sample implementation in node.js + express.js on GitHub.

Here’s how it works:

The client application redirects the end user to the authorization page on your web application, passing client_id, response_type, and scope (if required) as query string parameters.
The web application ensures that the user is logged in, then shows the authorization page.
The client application sends the client_id in the query string, from which the web application can retrieve both the OAuth 2.0 application name and developer name, by making the following request to Kong Gateway:
```
curl localhost:8001/oauth2?client_id=$CLIENT_ID
```
If the end user authorizes the application, the form submits the data to your backend with a POST request, sending the client_id, response_type, and scope parameters that were placed in <input type="hidden" .. /> fields.
The backend makes a POST request to Kong Gateway at your Service address, on the /oauth2/authorize endpoint, with the provision_key, authenticated_userid, client_id, response_type, and scope parameters. If an Authorization header was sent by the client, that must be added too. For example:
```
curl https://$SERVICE.com/oauth2/authorize \
  --header "Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW" \
  --data "client_id=$CLIENT_ID" \
  --data "response_type=$RESPONSE_TYPE" \
  --data "scope=$SCOPE" \
  --data "provision_key=$PROVISION_KEY" \
  --data "authenticated_userid=$USER_ID"
```
The provision_key is the key the plugin generates when it’s added to the Service. authenticated_userid is the ID of the logged-in end user who grants the permission.
Kong Gateway responds with a JSON response:
```
{
  "redirect_uri": "http://some/url"
}
```
The response can be either a 200 OK or 400 Bad Request.
In both cases, Kong Gateway ignores the response status code and redirects the user to whatever URI is being returned in the redirect_uri property.
The client application takes it from here, and continues the flow with Kong Gateway with no other interaction with your web application. For example, if it’s an Authorization Code Grant flow, the client app might exchange the authorization code for an access token.
After retrieving the access token,, the client application makes requests on behalf of the user to your upstream service.
Access tokens can expire, and when that happens the client application needs to renew the access token with Kong Gateway and retrieve a new one.

In this flow, the steps that you need to implement are:

The login page (step 2)
The Authorization page, with its backend that simply collects the values, makes a POST request to Kong Gateway, and redirects the user to whatever URL Kong Gateway has returned (steps 3 to 7)

gRPC requests

OAuth2 access tokens can be used by gRPC applications:

grpcurl -H 'authorization: bearer $TOKEN' ...

The rest of the credentials flow uses HTTPS and not gRPC. Depending on your application, you may have to configure the oauth2 plugin on two separate Routes: one under protocols: ["https"] and another under protocols: ["grpcs"].

WebSocket requests

This plugin can’t issue new tokens from a WebSocket Route, because the request will be rejected as an invalid WebSocket handshake. To use this plugin with WebSocket services, you must configure an additional, non-WebSocket Route to issue tokens. For more details, see Enable OAuth 2.0 authentication for WebSocket requests with Kong Gateway.

Resource owner password credentials (legacy systems only)

Important: The OAuth2 Security Best Practice explicitly mentions that Resource Owner Password Credentials “MUST NOT BE USED”. The following section is left here as a reference for supporting legacy systems.

The Resource Owner Password Credentials Grant is a much simpler version of the Authorization Code flow, but it still requires to build an authorization backend (without the frontend) to make it work properly.

On the first request, the client application makes a request with some OAuth2 parameters to your web application.
The backend of your web application adds the provision_key and grant_type parameters to the parameters originally sent by the client, then makes a POST request to Kong Gateway using the /oauth2/token endpoint of the configured plugin. If an Authorization header is sent by the client, that must be added too. For example:
```
 curl https://$SERVICE.com/oauth2/token \
   --header "Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW" \
   --data "client_id=$CLIENT_ID" \
   --data "client_secret=$CLIENT_SECRET" \
   --data "grant_type=password" \
   --data "scope=$SCOPE" \
   --data "provision_key=$PROVISION_KEY" \
   --data "authenticated_userid=$USER_ID" \
   --data "username=$USERNAME" \
   --data "password=$PASSWORD"
```
The provision_key is the key the plugin has generated when it has been added to the Service, while authenticated_userid is the ID of the end user whose username and password belong to.
Kong Gateway responds with a JSON response.
The JSON response sent by Kong Gateway must be sent back to the original client as it is. If the operation is successful, this response includes an access token, otherwise it returns an error.

In this flow, the step that you need to implement is the backend endpoint that processes the original request and authenticates the username and password values sent by the client. If the authentication is successful, this endpoint makes the request to Kong Gateway and returns the response that Kong Gateway sends back to the client.