Feature request: options to enable/disable sending ID token, access token and User Info headers upstream

[larsw]

What the title says; make it possible to configure whether to send the ID token, access token and User Info as headers upstream.

Related, it should also be possible to send the access token as an bearer token (Authorization: Bearer ...) upstream instead of X-Access-Token.

[A1Darkwing]

Hi @larsw , which Kong and Keycloak version are you using? I got an issue that X-Access-Token and X-Id-Token didn't appear in header of up stream server?

I used Kong 1.1.1 and Keycloak 5.0 :(

Is there any hint for me....

Thank you in advance...

[A1Darkwing]

I saw it :D

I used this image : https://github.com/Revomatico/docker-kong-oidc/blob/master/Dockerfile

Thanks :P

[barrelmaker97]

Hi @larsw , which Kong and Keycloak version are you using? I got an issue that X-Access-Token and X-Id-Token didn't appear in header of up stream server?

I used Kong 1.1.1 and Keycloak 5.0 :(

Is there any hint for me....

Thank you in advance...

Hi @A1Darkwing Did you end up solving the issue where the tokens were not showing up in the header of the upstream server? I am currently experiencing the same thing and I can't quite figure out why they aren't there.

[mssaisandeep]

I am also not seeing those headers sent to upstream services. Did anyone figure that out?

[barrelmaker97]

Hi @mssaisandeep, I should have posted earlier, but I did figure this one out. In the rockspec file, the git tag from which it builds the .rock file (and performs the install from) is v1.1.0. The issue where tokens were not passed to upstream services was present in that release, but has been fixed in later commits to the master branch. Since there haven't been any releases since then, if you edit the rockspec file to a tag of "master", and then pack/install the plugin, it will work as expected. Let me know if you have any more questions about this issue!

[mssaisandeep]

Hey, @barrelmaker97 can you help me in building and installing (as you mentioned) into docker image? These are the steps that I followed to build docker container:

1) git clone https://github.com/nokia/kong-oidc.git 2) sudo luarocks pack kong-oidc 3) After executing the 2nd command, I got the *.all.rock file got generated. 4) Please find the below dockerfile contents where I used to build the kong docker image:

FROM kong:1.1-centos
LABEL description="Centos 7 + Kong 1.1 + nokia-kong-oidc plugin"
RUN yum install -y git unzip && yum clean all
COPY test/kong-oidc/kong-oidc-1.1.0-0.all.rock /
RUN luarocks install /kong-oidc-1.1.0-0.all.rock

I just built and executed docker run. Everything is working fine. But when I tried to access sample (dummy) API hosted behind the kong, I am facing issues. Please find the below logs:

Note: If I used the below docker file, then I am not getting any issues. But headers are not getting passed.

I don't know what I am missing. Please help me.

FROM kong:1.1-centos
LABEL description="Centos 7 + Kong 1.1 + nokia-kong-oidc plugin"
RUN yum install -y git unzip && yum clean all
#COPY test/kong-oidc/kong-oidc-1.1.0-0.all.rock /
#RUN luarocks install /kong-oidc-1.1.0-0.all.rock
RUN luarocks install kong-oidc

Thanks

[mssaisandeep]

Hi @mssaisandeep, I should have posted earlier, but I did figure this one out. In the rockspec file, the git tag from which it builds the .rock file (and performs the install from) is v1.1.0. The issue where tokens were not passed to upstream services was present in that release, but has been fixed in later commits to the master branch. Since there haven't been any releases since then, if you edit the rockspec file to a tag of "master", and then pack/install the plugin, it will work as expected. Let me know if you have any more questions about this issue!

BTW thanks. Please, can you check the above comment and let me know your thoughts.

[mssaisandeep]

Hey, @Trojan295 can you take a look into the previous comment where I mentioned steps to build (compile) oidc master code and make it as a docker container. Please help me.

BTW the released version "luarocks install kong-oidc" is not passing id_token, access_token to upstream services. It is sending only the following headers. If this is the real issue, how to fix it? Am I missing something? Please help me.

{
    "host": "10.0.15.111:10000",
    "connection": "keep-alive",
    "x-forwarded-for": "xxxxxx",
    "x-forwarded-proto": "http",
    "x-forwarded-host": "yyyyyy",
    "x-forwarded-port": "8000",
    "x-real-ip": "xxxxxx",
    "cache-control": "max-age=0",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3",
    "referer": "",
    "accept-encoding": "gzip, deflate",
    "accept-language": "en-US,en;q=0.9",
    "cookie": "session=v09SG9f0Jj1XcXaqtiv2Yw......<kong encoded session token>",
    "x-userinfo": "eyJpZCI6ImIxZWM5MTE5LTBlZmYtNGM1Ny04ZDJhLWUzYTZkZGUzOTA1OSIsIm5hbWUiOiJWYWwgRiIsInVzZXJuYW1lIjoidmFsIiwiZW1haWwiOiJ2YWxAZGV2b3Quc21hcnRzZW50cnkuaW8iLCJnaXZlbl9uYW1lIjoiVmFsIiwic3ViIjoiYjFlYzkxMTktMGVmZi00YzU3LThkMmEtZTNhNmRkZTM5MDU5IiwicHJlZmVycmV=="
}

[barrelmaker97]

@mssaisandeep, Between your step one and step two (before you pack the rock), you need to make this change to the .rockspec file: This will make the rockspec file build the rock from the HEAD of master instead of the outdated 1.1.0 release. I used these lines in my dockerfile: If at all possible, I'd recommend using the latest version of Kong, 1.3. Not sure if that will make a difference, but it can't hurt. I'm also not using the centos version, so it's possible there's an issue there.

[mssaisandeep]

I will try these and let you know.

Thanks

[mssaisandeep]

@barrelmaker97

I updated the rockspec file

I ran the luarocks pack kong-oidc-1.1.0-0.rockspec and *.src.rock is generated in the current directory.

I Update docker file

But still I got the same issue:

If I use the released version of nokia-oidc, I am not getting any issue. But as you mentioned headers got fixed in master, not in released version.

Do you suggest another base image?

[mssaisandeep]

FYI, I also used kong1.3 version still I am facing issue. Please check one more version of dockerfile:

[mssaisandeep]

I figured the issue. My API is rejecting the request from Kong as the headers exceed the size limit.

Kong-oidc plugin is sending a set of headers which includes cookies (session and session_2 which are opaque tokens) and also id_token, access_token. This exceeds the limit and my API is rejecting. so I solved this by removing cookie passed to upstream services.

Regarding this I have a few questions:

• Is it good to send opaque tokens to upstream services? As kong-oidc only can understand these tokens, why to send to upstream services?
• If we can stop passing to upstream services, how can we remove? There is a way that we can remove the complete header (cookie) in Lua. But is there any way to remove specific cookies?
• How to pack luarocks and get *.src.rock without cloning from GitHub. I am executing this: luarocks pack kong-oidc.rockspec and it is getting cloned automatically. Can any one help? FYI, Kong-OIDC is sending id_token as base64 encoded JSON (not jwt). But my upstream services require id_token to be in JWT token format. I achieved this by modifying the actual lua-resty-oidc plugin. If anyone wants to take a look at it let me know.

Thanks for the support.

[mssaisandeep]

@barrelmaker97 I just have a quick question

Hey, I am getting header size exceeds, If I am sending x-id-token and x-access-token and cookies to upstream services.

[mssaisandeep]

I fixed it finally. Total header size is around 9.9kb. I just increased on upstream api. BTW, another one "https://github.com/nokia/kong-oidc/issues/70" solved one more issue.

Thank you all.

[allenvino1]

@mssaisandeep Hi! Also having the same problem about the header size. How did you increased the upstream api?

[mssaisandeep]

@spacejam101 As we have two cookies (session & session_2) and other headers (id_token, access_token, user_info...) are transferred to upstream services you will face this issue.

I fixed this in kong custom Nginx config file as shown below:

Check CMD I changed the dockerfile as shown below such that kong will use the custom Nginx config file

https://user-images.githubusercontent.com/47436031/65921717-d420d880-e397-11e9-91a9-87e897796217.png

In this custom Nginx file, I added header file size as shown below:

https://user-images.githubusercontent.com/47436031/65910592-e2fb9100-e37f-11e9-82cf-73aa5dd97067.png

You can either copy that Nginx custom file or volume mount at runtime.

More info on custom Nginx config: https://docs.konghq.com/1.0.x/configuration/#custom-nginx-templates

Let me know if you need any help

[larsw]

https://github.com/larsw/kong-oidc <-- this fork contains these features. Rock available here: https://luarocks.org/modules/larsw/kong-enhanced-oidc

[allenvino1]

@larsw @mssaisandeep thanks alot guys!

[kuwv]

I tested this out and got it working:

FROM kong:1.4.1-centos

LABEL description="Centos 7 + Kong 1.4.1-centos + kong-oidc plugin"

ENV KONG_PLUGINS=oidc

RUN yum install -y git unzip ;\
  yum clean all ;\
  rm -rf /var/cache/yum ;\ 
  git clone https://github.com/nokia/kong-oidc.git /tmp/kong-oidc ;\
  pushd /tmp/kong-oidc \
  && sed -i 's/v[0-9]\+\.[0-9]\+\.[0-9]\+/master/g' kong-oidc-*.rockspec \
  && luarocks make \
  && popd
  # TODO: Need to do pseudo release because current is obsolescent :(
  # && luarocks install kong-oidc

USER kong

[harsh4870]

Working for me

FROM kong:latest

LABEL description="Alpine + Kong 2.0.4 + kong-oidc plugin"

USER root
RUN apk update && apk add git unzip luarocks
#RUN luarocks install kong-oidc
RUN luarocks install kong-enhanced-oidc
RUN luarocks install kong-plugin-jwt-keycloak
USER kong