search

gravitee-io / issues

Gravitee.io - API Platform - Issues
64 stars 26 forks source link

OAuth2 authentication failure #4687

Open pavanelthepumisc opened 3 years ago

pavanelthepumisc commented 3 years ago

I've my Gravitee up and running with keycloak login. I've created an API with a plan of OAuth2 authentication and subscribed to it. When I'm trying to access the API from post man I'm getting following error:

image

Expected Behavior

As my token is valid, I should get response from my API

Current Behavior

Getting error

Steps to Reproduce (for bugs)

Created API Added a Resource with Generic OAuth2 Authorization Server type Added a plan with the OAuth Resource created in step 2 Subscribed to it Got my access token by hitting my keycloak server from postman Accessing API with the access token received in step 5

Your Environment

aelamrani commented 3 years ago

Hi @pavanelthepumisc

Which version of Keycloak are you using?

pavanelthepumisc commented 3 years ago

Hi @aelamrani,

It's 11.0.2

aelamrani commented 3 years ago

Any error in gateway logs after a call?

pavanelthepumisc commented 3 years ago

No errors in logs @aelamrani

aelamrani commented 3 years ago

So, just had a try and everything is working on my side. Can you share the configuration of the Gravitee resource?

aelamrani commented 3 years ago

Ok try something like this one instead:

Capture d’écran 2020-12-03 à 06 48 35
pavanelthepumisc commented 3 years ago

Here is my configuration @aelamrani

image

aelamrani commented 3 years ago

Cool and works now?

aelamrani commented 3 years ago

Here is the full auth server URL in my example: http://localhost:8080/auth/realms/master/protocol/openid-connect

pavanelthepumisc commented 3 years ago

No, it's not working @aelamrani . Getting following error:

image

pavanelthepumisc commented 3 years ago

Here is my API export @aelamrani

{ "name": "OAuthTest", "version": "1.0.0", "description": "OAuthTest", "visibility": "PRIVATE", "paths": { "/": [] }, "gravitee": "1.0.0", "resources": [ { "name": "OAuthKeycloak", "type": "oauth2", "enabled": true, "configuration": { "authorizationServerUrl": "https://auth-dev.custompro.com/auth/realms/APIGateway/protocol/openid-connect", "introspectionEndpoint": "/token/introspect", "introspectionEndpointMethod": "POST", "scopeSeparator": " ", "userInfoEndpoint": "/userinfo", "userInfoEndpointMethod": "GET", "useClientAuthorizationHeader": true, "clientAuthorizationHeaderName": "Authorization", "clientAuthorizationHeaderScheme": "Basic", "tokenIsSuppliedByQueryParam": false, "tokenQueryParamName": "token", "tokenIsSuppliedByHttpHeader": true, "tokenIsSuppliedByFormUrlEncoded": true, "tokenFormUrlEncodedName": "token", "userClaim": "sub", "clientId": "HILTGLOBAL", "clientSecret": "*****************************", "tokenHeaderName": "Authorization" } } ], "properties": [], "members": [ { "source": "custom-keycloak", "sourceId": "4e028174-6441-4c96-8560-cf5ba76eeb0b", "roles": [ "25270bf3-6426-446a-a70b-f36426c46a0c" ] } ], "pages": [ { "id": "424bc826-90fd-46bb-8bc8-2690fd36bb30", "name": "Aside", "type": "SYSTEM_FOLDER", "order": 0, "published": true, "lastModificationDate": 1606973717424, "contentType": "application/json", "configuration": {}, "homepage": false, "parentPath": "", "metadata": {}, "api": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "excluded_groups": [], "attached_media": [] } ], "plans": [ { "id": "a4a84037-c85e-4d12-a840-37c85ead128d", "name": "Premium", "description": "Premium", "validation": "MANUAL", "security": "OAUTH2", "securityDefinition": "{\"extractPayload\":false,\"checkRequiredScopes\":false,\"modeStrict\":true,\"propagateAuthHeader\":true,\"requiredScopes\":[],\"oauthResource\":\"OAuthKeycloak\"}", "type": "API", "status": "PUBLISHED", "api": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "order": 1, "characteristics": [], "tags": [], "created_at": 1606974083964, "updated_at": 1606974087082, "published_at": 1606974087082, "paths": { "/": [] }, "flows": [], "excluded_groups": [], "comment_required": false } ], "metadata": [ { "key": "email-support", "name": "email-support", "format": "MAIL", "value": "${(api.primaryOwner.email)!''}", "defaultValue": "support@change.me", "apiId": "dfc03a3c-6d02-470c-803a-3c6d02d70c71" } ], "id": "dfc03a3c-6d02-470c-803a-3c6d02d70c71", "path_mappings": [], "proxy": { "virtual_hosts": [ { "path": "/oauth-test" } ], "strip_context_path": false, "preserve_host": false, "groups": [ { "name": "default-group", "endpoints": [ { "name": "default", "target": "http://dummy.restapiexample.com/api/v1", "weight": 1, "backup": false, "type": "HTTP", "inherit": true } ], "load_balancing": { "type": "ROUND_ROBIN" }, "http": { "connectTimeout": 5000, "idleTimeout": 60000, "keepAlive": true, "readTimeout": 10000, "pipelining": false, "maxConcurrentConnections": 100, "useCompression": true, "followRedirects": false } } ] }, "response_templates": {} }

aelamrani commented 3 years ago

Ok, can you check that your introspect call return well the client_id defined on the Gravitee.io application used to subscribe?

pavanelthepumisc commented 3 years ago

Yes @aelamrani

Here is the response from my introspect URL with the access token, client_id and client_secret:

{ "exp": 1606982582, "iat": 1606982282, "jti": "47246931-68d9-4a51-ae5c-89d57c7f2bc6", "iss": "https://auth-dev.custompro.com/auth/realms/APIGateway", "aud": "account", "sub": "76e8f020-a9d8-48b1-917b-9a1a9a3fe0e8", "typ": "Bearer", "azp": "HILTGLOBAL", "session_state": "3e7b98a8-ca2e-44be-bf0b-029af2fb7335", "preferred_username": "service-account-hiltglobal", "email_verified": false, "acr": "1", "allowed-origins": [ "http://localhost:8001" ], "realm_access": { "roles": [ "offline_access", "uma_authorization" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "profile email", "clientHost": "157.48.213.199", "clientId": "HILTGLOBAL", "clientAddress": "157.48.213.199", "client_id": "HILTGLOBAL", "username": "service-account-hiltglobal", "active": true }

aelamrani commented 3 years ago

Are you calling the same endpoint to get the token and for the introspection?

pavanelthepumisc commented 3 years ago

Yes @aelamrani

fabMrc commented 3 years ago

I have the same issue so I am moving to JWT plan it is a best suited way for me. However I am following this issue if you need more information I can help you (Appears with G.io 3.7.0)

pavanelthepumisc commented 3 years ago

@aelamrani can you help with this issue, please?

FYI @brasseld

brasseld commented 3 years ago

@pavanelthepumisc the error message is about nginx, don't seem to be related to gravitee.

pavanelthepumisc commented 3 years ago

But I'm getting this error only with OAuth2 plan @brasseld. The same API is working with API Key plan. Please help.

brasseld commented 3 years ago

Could it be a response from your backend ?

pavanelthepumisc commented 3 years ago

Nope. I'm expecting Unautorized in the first place as I passed wrong token. Even if I pass correct token, same error. https://dummy.restapiexample.com/api/v1/employees This is my backend @brasseld

brasseld commented 3 years ago

So why do we have this nginx response ? Can you describe a bit your architecture ?

pavanelthepumisc commented 3 years ago

It's pretty simple @brasseld . For testing OAuth2 plan, I followed the following steps:

  1. Created API (with backend server: https://dummy.restapiexample.com/api/v1/employees)
  2. Added a plan for this API with OAuth2 security
  3. Added Generic OAuth2 Authorization Server
  4. Now, trying to access my API and getting this error

Here is my Generic OAuth2 Authorization Server configuration:

image image

pavanelthepumisc commented 3 years ago

I'm getting this error when I send the Bearer Token. If I don't send any token, I'm getting a 401-Unauthorised error. @brasseld

gogovan-vincentngai commented 2 years ago

same here