OIDC Kong / Keycloak #23
Comments
|
Try using client_secret_post on introspection.
…On Tue, 18 Oct 2022 at 09:05, Víctor Funes ***@***.***> wrote:
I am trying to use your plugin to connect keycloak 19.0.2 with kong 3.0.0,
but the introspection step seems not to be working properly as Kong always
returns when I try to access to an API:
{
"message": "Unauthorized"
}
When I execute the request for introspection manually from Postman, it
works perfectly using basic authentication (client_id and client_secret as
user and password in the header, and the token in the body), so my
assumption is that Keycloak expects this structure of request.
With this purpose, I have configured the OIDC plugin (using Konga by the
way) defining the value of the field "token endpoint auth method" as
"client_secret_basic".
After doing this, when I try to access the API, in the logs I can see the
message:
2022/10/18 07:47:48 [debug] 1378#0: *190 [lua] openidc.lua:515:
call_token_endpoint(): request body for introspection endpoint call:
client_secret=(my client secret)&token=(my token)&client_id=(my client id)
Apparently, client_secret_basic is behaving as client_secret_post
including the client_id and client_secret in the body instead of sending
this info in the header as Keycloak expects.
Am I doing something wrong?
Thanks in advance for your support.
—
Reply to this email directly, view it on GitHub
<#23>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACUVDT7ZCTWMJTVEMKRZTDLWDZK4FANCNFSM6AAAAAARHZVWQY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Thank you for your quick answer! I am sure I am missing something in the configuration, but I cannot find it. 2022/10/18 13:52:34 [error] 1379#0: *1098 [kong] init.lua:290 [oidc] /usr/local/share/lua/5.1/kong/plugins/oidc/utils.lua:122: header must be a string, client: 172.19.0.1, server: kong, request: "GET /api/welcome HTTP/1.1", host: "localhost:8000" |
|
This is what we have configured and works perfectly.
plugins:
- name: oidc
config:
client_id: "introspection_client_id"
client_secret: "introspection_client_secret"
discovery: "
https://auth-server/.well-known/openid-configuration"
introspection_endpoint: "https://auth-server
/token/introspect"
introspection_endpoint_auth_method: "client_secret_post"
introspection_cache_ignore: "true"
unauth_action: "deny"
bearer_only: "yes"
…On Tue, 18 Oct 2022 at 15:01, Víctor Funes ***@***.***> wrote:
Thank you for your quick answer! I am sure I am missing something in the
configuration, but I cannot find it.
I have changed it back to client_secret_post, and now I get the first
error I got (this is why I tried to change to client_secret_basic):
2022/10/18 13:52:34 [error] 1379#0: *1098 [kong] init.lua:290 [oidc]
/usr/local/share/lua/5.1/kong/plugins/oidc/utils.lua:122: header must be a
string, client: 172.19.0.1, server: kong, request: "GET /api/welcome
HTTP/1.1", host: "localhost:8000"
172.19.0.1 - - [18/Oct/2022:13:52:34 +0000] "GET /api/welcome HTTP/1.1"
500 42 "-" "PostmanRuntime/7.29.2"
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACUVDTZRGDW6B5EDD2LWSMLWD2UTDANCNFSM6AAAAAARHZVWQY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I have the same configuration, but still get the same error. |
|
I copy here also the oidc plugin config for more clarity: { |
|
You don't need to have a Kong Consumer to use OIDC plugin, the purpose of
OIDC is exactly that, to delegate the identity of your API consumer to an
external Identity Provider (your OIDC provider).
Note you need to have an OIDC client pre-configured (say kong ) in your
OIDC provider so you can run token introspection checks.
Hope this makes sense.
…On Wed, 19 Oct 2022 at 11:15, Víctor Funes ***@***.***> wrote:
I copy here also the oidc plugin config for more clarity:
{
"created_at": 1665503433,
"name": "oidc",
"service": null,
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"enabled": true,
"route": null,
"config": {
"timeout": null,
"realm": "MyRealm",
"validate_scope": "no",
"client_secret": "jHW...(lalala)...BQM",
"ssl_verify": "no",
"introspection_cache_ignore": "true",
"redirect_uri": null,
"response_type": "code",
"token_endpoint_auth_method": "client_secret_post",
"ignore_auth_filters": null,
"logout_path": "/logout",
"revoke_tokens_on_logout": "no",
"redirect_after_logout_uri": "/",
"redirect_after_logout_with_id_token_hint": "no",
"post_logout_redirect_uri": null,
"bearer_jwt_auth_allowed_auds": [
"account"
],
"discovery": "
http://keycloak:8080/auth/realms/MyRealm/.well-known/openid-configuration
",
"skip_already_auth_requests": "no",
"scope": "openid",
"session_secret": null,
"bearer_jwt_auth_enable": "yes",
"groups_claim": "groups",
"header_names": [],
"header_claims": [],
"disable_userinfo_header": "no",
"userinfo_header_name": "X-USERINFO",
"introspection_endpoint": "
http://keycloak:8080/auth/realms/MyRealm/protocol/openid-connect/token/introspect
",
"disable_access_token_header": "no",
"access_token_header_name": "X-Access-Token",
"access_token_as_bearer": "yes",
"disable_id_token_header": "no",
"id_token_header_name": "X-ID-Token",
"introspection_endpoint_auth_method": null,
"unauth_action": "deny",
"bearer_jwt_auth_signing_algs": [
"RS256"
],
"recovery_page_path": null,
"client_id": "MyClientId",
"filters": null,
"bearer_only": "yes",
"use_jwks": "no"
},
"consumer": null,
"tags": null,
"id": "bf1f6dec-85fb-4084-8311-9360d32f30e8"
}
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACUVDT6XX5HYAROAMBMK3VDWD7C45ANCNFSM6AAAAAARHZVWQY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Ooops! Thank you for the clarification and your quick support! |
|
Hi, You can see the introspection success here: 2022/10/20 11:53:05 [debug] 1378#0: *865 [lua] openidc.lua:515: call_token_endpoint(): request body for introspection endpoint call: client_secret=DYC...p8u&client_id=Client&token=eyJ... The problem is just after this step of introspection when after the authorization kong has to call to the original endpoint: 2022/10/20 11:53:05 [debug] 1378#0: *865 [lua] handler.lua:141: introspect(): OidcHandler introspect succeeded, requested path: /mock/requests I use mockbin.org for testing, and I have tested the service and the route in kong before adding OIDC, working properly. |
|
If OIDC introspection is right the it’s just a matter of route to service…
that should simply work.
Can you put log level in debug mode and show the output?
…On Thu, 20 Oct 2022 at 14:31, Víctor Funes ***@***.***> wrote:
Reopened #23 <#23>.
—
Reply to this email directly, view it on GitHub
<#23 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACUVDT62OZQLT26S3I27QSLWEFCTBANCNFSM6AAAAAARHZVWQY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I start the environment with docker-compose, and I already have in the environment this level of log you are requesting (KONG_LOG_LEVEL=debug) as you can see in the extract of my yaml (unless I did something wrong like a typo): kong: I also show you the service and the route configuration done in kong. SERVICE: ROUTE: |
|
Can you paste the log of the gateway (not the config) for a call with and
without oidc?
Also, shouldn't service protocol be https and port 443?
…On Thu, 20 Oct 2022 at 17:39, Víctor Funes ***@***.***> wrote:
I start the environment with docker-compose, and I already have in the
environment this level of log you are requesting (KONG_LOG_LEVEL=debug) as
you can see in the extract of my yaml (unless I did something wrong like a
typo):
kong:
image: revomatico/docker-kong-oidc:latest
container_name: kong
restart: always
user: kong
depends_on:
- postgres-kong
- kong-migrations
- kong-migrations-up
environment:
- KONG_LOG_LEVEL=debug
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr
- KONG_PORTAL_API_ACCESS_LOG=/dev/stdout
- KONG_PORTAL_API_ERROR_LOG=/dev/stderr
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_ANONYMOUS_REPORTS=false
- KONG_CLUSTER_LISTEN=off
- "KONG_LUA_PACKAGE_PATH=/opt/?.lua;/opt/?/init.lua;;"
- KONG_NGINX_WORKER_PROCESSES=1
- "KONG_PLUGINS=bundled,oidc"
- "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl"
- "KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 http2 ssl"
- "KONG_STATUS_LISTEN=0.0.0.0:8100"
- KONG_NGINX_DAEMON=off
- "KONG_X_SESSION_MEMCACHE_PORT='1234'"
- KONG_X_SESSION_COMPRESSOR=zlib
- KONG_DATABASE=postgres
- KONG_PG_DATABASE=kong
- KONG_PG_HOST=postgres-kong
- KONG_PG_PORT=5432
- KONG_PG_USER=kong
- KONG_PG_PASSWORD=kongpassword
links:
- postgres-kong
networks:
- kong-network
ports:
- "8000:8000/tcp"
- "127.0.0.1:8001:8001/tcp"
- "8443:8443/tcp"
- "127.0.0.1:8444:8444/tcp"
healthcheck:
test: ["CMD", "kong", "health"]
interval: 10s
timeout: 10s
retries: 10
I also show you the service and the route configuration done in kong.
As I said, it works if I delete the OIDC plugin and try to access.
SERVICE:
{
"updated_at": 1666266370,
"host": "mockbin.org",
"path": null,
"enabled": true,
"id": "93cea7e5-35ab-406b-a016-584b2ebd821b",
"retries": 5,
"write_timeout": 60000,
"tags": [],
"ca_certificates": null,
"port": 8080,
"tls_verify": null,
"client_certificate": null,
"tls_verify_depth": null,
"protocol": "http",
"name": "MockbinService",
"read_timeout": 60000,
"connect_timeout": 60000,
"created_at": 1666265649,
"extras": {
"createdUser": null,
"updatedUser": null,
"kong_node_id": "1",
"service_id": "93cea7e5-35ab-406b-a016-584b2ebd821b",
"createdAt": "2022-10-20T11:34:09.137Z",
"updatedAt": "2022-10-20T11:46:10.368Z",
"id": 1
}
}
ROUTE:
{
"updated_at": 1666266410,
"headers": null,
"path_handling": "v1",
"id": "80ee30b0-4691-4ceb-943c-9cc203d7ffb2",
"snis": null,
"strip_path": true,
"tags": null,
"hosts": null,
"service": {
"id": "93cea7e5-35ab-406b-a016-584b2ebd821b"
},
"destinations": null,
"paths": [
"/mock"
],
"methods": null,
"request_buffering": true,
"response_buffering": true,
"sources": null,
"name": "MockbinRoute",
"https_redirect_status_code": 426,
"protocols": [
"http",
"https"
],
"preserve_host": false,
"regex_priority": 0,
"created_at": 1666265686
}
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACUVDT7I7ASQGRHP4M5G4RTWEFYSRANCNFSM6AAAAAARHZVWQY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I hope this helps. --------- Logs for the call with OIDC driver configured ------------ 2022/10/21 09:35:37 [debug] 1389#0: *185 [lua] init.lua:288: [cluster_events] polling events from: 1666343729.975 -------------- Logs for the call without OIDC driver configured (including plugin deletion) ------------- SUCCESS CALL: 2022/10/21 09:45:37 2022/10/21 09:44:47 [debug] 1389#0: *3 [lua] callback.lua:114: do_event(): worker-events: handling event; source=dao:crud, event=delete, wid=nil |
|
According to log the error It seems that constants.HEADERS.CREDENTIAL_IDENTIFIER is not defined... |
|
@christichiru, can't find a way to bring you to the conversation, only found the assign button (sorry about that) :P |
|
I saw this error and the source code, and looking in the original file of kong (https://github.com/Kong/kong/blob/master/kong/constants.lua) it is indeed defined: CREDENTIAL_IDENTIFIER = "X-Credential-Identifier" So my assumption was I was doing something wrong from the configuration point of view. I did not install kong by myself, but as you can see in my docker-compose, the image I am using is: |
|
The weird part is that the constant is defined, as expected. The issue has a different cause root cause, but the message is misleading. Those constants are used exactly like in many other plugins (the onses bundled with kong).
This is from the latest docker-kong-oidc image. @victorfunes can you please use image tag 3.0.0-6 instead of latest? |
|
Hi, The logs are: 2022/10/21 14:17:27 [debug] 1379#0: *427 [lua] init.lua:288: [cluster_events] polling events from: 1666361782.812 |
|
Additional info: the test I do with introspection is using the auth token given directly by Keycloak. |
|
Please, let me know if I can help providing any other information. |
I am trying to use your plugin to connect keycloak 19.0.2 with kong 3.0.0, but the introspection step seems not to be working properly as Kong always returns when I try to access to an API:
{
"message": "Unauthorized"
}
When I execute the request for introspection manually from Postman, it works perfectly using basic authentication (client_id and client_secret as user and password in the header, and the token in the body), so my assumption is that Keycloak expects this structure of request.
With this purpose, I have configured the OIDC plugin (using Konga by the way) defining the value of the field "token endpoint auth method" as "client_secret_basic".
After doing this, when I try to access the API, in the logs I can see the message:
2022/10/18 07:47:48 [debug] 1378#0: *190 [lua] openidc.lua:515: call_token_endpoint(): request body for introspection endpoint call: client_secret=(my client secret)&token=(my token)&client_id=(my client id)
Apparently, client_secret_basic is behaving as client_secret_post including the client_id and client_secret in the body instead of sending this info in the header as Keycloak expects.
Am I doing something wrong?
Thanks in advance for your support.
The text was updated successfully, but these errors were encountered: