/images/resources/tutorials/integration/tutorials-kong.png

Kong OAuth Proxy Plugin

tutorials
On this page

The OAuth Proxy is an extension to your API gateway that you need when your single page applications (SPAs) call OAuth-secured APIs using the Token Handler pattern. The SPA sends an encrypted proxy cookie that transports an access token. The OAuth Proxy plugin decrypts the cookie to extract the access token.

When the OAuth Proxy work completes, your Kong API gateway routes the request to the target API, which uses the access token to implement its OAuth security.

Download the OAuth Proxy

You get the OAuth Proxy by downloading a ZIP file from the Curity Developer Portal, with a filename of the following form. This zip file contains a Lua plugin that you deploy to your gateway and a README file with detailed instructions.

text
1
curity-token-handler-proxy-kong-<version>.zip

Deploy the OAuth Proxy

You must deploy the OAuth Proxy to a gateway that runs in your SPA's backend for frontend domain. If a deployment uses the following URLs, the OAuth Proxy executes in a gateway at https://bff.product.example:

  • SPA Web Origin: https://www.product.example
  • Backend for Frontend Base URL: https://bff.product.example
  • Target API Base URL: https://api.example.com

To deploy the OAuth Proxy, unpack the ZIP file and copy the Lua files to your Kong API gateway at the Lua plugins location, which will be a path similar to the following:

text
1
/usr/local/share/lua/5.1/kong/plugins/oauth-proxy/

One way to deploy the files is to create a custom Docker image:

dockerfile
12345678
FROM kong/kong:latest-ubuntu


COPY resources/plugin/handler.lua \
     resources/plugin/logic.lua \
     resources/plugin/schema.lua \
     /usr/local/share/lua/5.1/kong/plugins/oauth-proxy/


USER kong

When you deploy the Kong gateway you must also activate plugins using the KONG_PLUGINS environment variable. For an example, study the following Docker Compose file:

yaml
1234567891011121314
services:
  api-gateway:
    image: apigateway:1.0.0
    hostname: apigateway-internal
    ports:
      - 80:3001
    volumes:
      - ./apigateway/kong.yml:/usr/local/kong/declarative/kong.yml
    environment:
      KONG_DATABASE: 'off'
      KONG_DECLARATIVE_CONFIG: '/usr/local/kong/declarative/kong.yml'
      KONG_PROXY_LISTEN: '0.0.0.0:3001'
      KONG_LOG_LEVEL: 'info'
      KONG_PLUGINS: 'bundled,cors,oauth-proxy'

Prepare Decryption

You need an asymmetric keypair as part of your overall token handler deployment. To create one, follow the instructions in the Configure Cryptographic Keys section of the Create a Token Handler tutorial. This results in a PKCS#8 file with an encrypted private key, and also a private key password.

Configure API Routes

You must configure the OAuth Proxy for all API routes that the SPA calls. Also, add a route such as /oauthuserinfo if the SPA calls the authorization server's OpenID Connect userinfo endpoint.

First, you must configure the built-in CORS Plugin, to instruct the browser to allow requests with cookies from the SPA's web origin, and deny access to untrusted origins. Then, configure the OAuth Proxy plugin. You must provide the cookie decryption key for the OAuth Proxy, using the content of the PKCS#8 file, and the PKCS#8 file's password. An example configuraton is shown here:

yaml
123456789101112131415161718192021222324252627
- name: example-api
  url: http://api-internal:3001
  routes:
  - name: example-api-route
    hosts:
    - bff.product.example
    paths:
    - /api
  plugins:
  - name: cors
    config:
      origins:
      - http://www.product.example
      credentials: true
      max_age: 86400
  - name: oauth-proxy
    config:
      cookie_key: |-
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        MIH0MF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBA9BLL4kbxiN4dOlIZE
        nxxsAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQ72a5HguvLkDUto5Q
        gLjuygSBkCOR6pSeXPp1ym5f+oPwYzT99EXbyxELUI43r01IcfY1i8Ib+rPbHB0K
        abRjKb/MnJXaRVS3iaQDYmTLK4SF6YcA3wRJtUZWTeCr79PbzkAootHyRjrYT6jN
        hOm/DLJHiRtNFyRTX+E9r9uMnYACmv6o0lsWScb0NrwPlyW3Ft14ayibtRvCnpEa
        CB3FgLlR9w==
        -----END ENCRYPTED PRIVATE KEY-----
      cookie_key_pass: default

Additional configuration settings are also available. For example, if the OAuth Agent uses a different prefix for cookie names than the default value th-, you should configure a cookie_prefix in the OAuth Proxy that matches the value from the OAuth Agent. You can find full information on configuration settings in the README file within your downloaded ZIP file, including some advanced options for caching.

OAuth Proxy Output

At runtime, the OAuth Proxy processes cookies in incoming requests from SPAs. On success it rewrites the HTTP request, setting the access token in the HTTP authorization header. The target API then receives a JWT access token in the standard way and can use it for its authorization.

If the OAuth Proxy experiences an invalid cookie error, it returns an error response to the SPA with a 401 HTTP status code. For other types of error, the OAuth Proxy returns a 500 HTTP status code.

Conclusion

The OAuth Proxy is part of your API gateway. It enables your SPAs to use the correct browser security and also make direct calls to API URLs. The OAuth Proxy plugin deals with the cookie complexity so that you do not need to implement it in your API code.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial
  1. Home
  2. Resources
  3. Kong OAuth Proxy Plugin

Was this helpful?