Feature Request: Oauth2 Authorization Endpoint

[rucciva]

Is it possible for kong to directly handle the OAuth2 authorization request while only outsourcing login and consent page and optionally error page to the upstream service?

In this flow, the user is first redirected to kong (instead of directly to upstream's login page) and then kong will validate the request and redirect to the configured login page. The login page will receive a temporary secret or token which can be used to communicate information about the authenticated user and the allowed scope to kong.

This could speed-up integration due to less logic being implemented and tighten up security by moving the OAuth2 validation to kong before the request even reach the upstream login page. It would also be beneficial in the event that the Oauth2 are to be upgraded to OpenID Connect in the future (well i might be imagining too far here).

My suggestion here are based on a project that could provide OpenID Connect authentication for a service (but only to one service, unlike kong that can provide Oauth2 authentication to multiple service)

[rucciva]

hi @bungle, is PR acceptable regarding this issue? if so i would like to try contribute on this feature