A Kong plugin used during API requests to deal with CORS and cookies, then forward access tokens
$ luarocks install kong-oauth-proxy
The Curity OAuth Proxy is a LUA library used when Single Page Applications (SPAs) call APIs.
This version is designed to be used by Kong API Gateway, including the open source version.
Secure cookies are first issued to the SPA by a separate token handler (OAuth Agent).
During API requests the plugin first validates web origins against a whitelist of trusted origins.
It then provides CORS responses headers needed for the SPA to make cross origin requests.
During API requests the OAuth Proxy implements Cross Site Request Forgery protection when needed.
It then decrypts secure cookies to get the access token contained.
The access token is then forwarded to the API using the HTTP Authorization header.
All of this provides strongest browser security without needing any API code changes.