A Lua plugin to receive incoming opaque tokens and forward JWT access tokens to APIs
$ luarocks install kong-phantom-token
The Curity Phantom Token plugin is a Lua library used to forward JWT access tokens to APIs.
It can be used with the Kong API Gateway, including the open source version.
The Identity Server issues opaque tokens to internet clients and stores the JWT access tokens.
This is a privacy preserving pattern to ensure that no sensitive token related information is revealed.
During API requests the plugin introspects the opaque token to get the JWT.
The JWT access token is then forwarded to the API using the HTTP Authorization header.
All of this keeps plumbing out of APIs, so that they are able to use simple authorization code.