search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
461 stars 331 forks source link

Using Kong-oidc behind a reverse proxy #104

Open hostettler opened 5 years ago

hostettler commented 5 years ago

Hello,

I am trying to use kond-oidc behind a reverse proxy and get an error that the id_token is not equal to the issuer from the discovery document. It makes sense but I do not understand how to solve the problem.

I have the following docker topology

(web server 80:80) -- nginx mapped to port 80 of the host (localhost) (reverse proxy mapping /api to the kong server and rewrite redirect map iam:8080/auth to localhost/auth) (kong with oidc 8000:8000) -- configure to use a keycloak (iam:8080) 
iam:8080 (keycloak)      Microservices

How can I configure the plugin to work behind a reverse proxy?

Here are the logs:

2019/02/16 14:11:50 [error] 37#0: 139592 [lua] openidc.lua:1195: authenticate(): lost access token:response indicates failure, status=400, body={"error":"invalid_grant","error_description":"Session not active"}, client: 192.168.224.5, server: kong, request: "GET /api/v1/counterparty-service HTTP/1.0", host: "localhost" api-gateway | 2019/02/16 14:11:58 [error] 37#0: 139612 [lua] openidc.lua:123: openidc_validate_id_token(): issuer "https://localhost/keycloak/auth/realms/master" in id_token is not equal to the issuer from the discovery document "http://iam:8080/keycloak/auth/realms/master", client: 192.168.224.5, server: kong, request: "GET /api/v1/counterparty-service/?state=30b0cbcda8978bd2e18752834c4adbce&session_state=a591176f-b382-412b-a073-0b54e342183b&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..vZpVDYol5gDy0PBdcNztKA.vwcF7uBLvx9qbihC9rUuz25T8wM21Q389qdFOCMgywOUvSFBS16vGCyZdj0kDdQFbT5j9fw243WEHkhjftmOk0lQKeKujjEPkrH8RR412mL5-Asc7Rr5FKTF88bNtk7KmSz0yf45f9sOFfqpnk-2WWqpv6zoiUkP2ZhY92rEEYW2KOi7WZiTgZQoms5s_pzK0Ypw-xh0gC9Vq4LX1F5HKp2nrz4_yrO-YF1MlmjI9m8MODOe_xRwrPqmBMikF6WB.X_DG5KRYYPgVBo7OC2eDyw HTTP/1.0", host: "localhost", referrer: "https://localhost/keycloak/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=api-gateway&state=30b0cbcda8978bd2e18752834c4adbce&redirect_uri=https%3A%2F%2Flocalhost%2Fapi%2Fv1%2Fcounterparty-service%2F&nonce=1c3ca46d146ceb9d46d7b9a59e962415&scope=openid"

mteodor commented 5 years ago

@hostettler have you find solution for this?

hostettler commented 5 years ago

@hostettler have you find solution for this?

Hello, unfortunatly not. I decided to go for the JWT plugin of kong. And to retrieve the JWT token from openId using the web application. No great but it works, and from a security perspective it was enough for academic purposes.