Kong OAuth2 Plugin Client Credentials Flow provision_key not validated

1
votes

I have configured the Oauth2 Plugin in Kong with Client Credentials Flow. All endpoints are accessible and it works as expected, except the fact that I can request an access token from the {service}/oauth2/token endpoint without providing the provision_key in my post request. (It returns a valid token even when I only post grant_type, scope, client_id and client_secret as parameters)

Is there something I need to enable on the plugin configuration? Or is it somehow so defined that with client credentials flow(namely, the token endpoint), the provision_key is not needed?

1
oauth-2.0kongkong-plugin

1 Answers

1
votes

The provision_key is only needed if you want to also specify authenticated_userid with the request. This is a Kong specific extension of OAuth2 which is not really compliant with the standard, which is why I guess they chose to not really document it.

If you are using the Client Credentials for what it's intended for - server to server backend communication without an explicit user context - Kong will accept a token request without the provision_key, just as the OAuth 2.0 RFC specifies.