search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

kong behind nginx - authentication with okta #122

Open mteodor opened 5 years ago

mteodor commented 5 years ago

This seems as basic question but I've failed to find answer

I want to use kong for single sign on I've followed https://github.com/oktadeveloper/okta-kong-origin-example to configure kong against okta and everything works fine for this example. Based on that I wanted to "protect" access to login endpoint in my service expecting to get X-Userinfo header from the request

I have several services running iside the docker and one service is users service which does the authentication among other stuff. I've made following configuration. I've added kong docker container into the same network as all other services and I've added configuration into nginx.conf ( nginx is also container built from openresty/openresty:1.13.6.2-0-alpine)

 location = /api/v1/useradm/auth/ssologin{
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Cookie $http_cookie;
        proxy_pass http://okta-kong-oidc:8000;
    }

kong configuration

{
    "created_at": 1557132426511,
    "http_if_terminated": false,
    "https_only": false,
    "id": "b3569d9b-4947-4938-9208-d02fd5819443",
    "name": "okta-test",
    "preserve_host": true,
    "retries": 5,
    "strip_uri": true,
    "upstream_connect_timeout": 60000,
    "upstream_read_timeout": 60000,
    "upstream_send_timeout": 60000,
    "upstream_url": "http://user-service:8080",
    "uris": [
        "/"
    ]
}

this is oidc plugin configured

    {"total":1,"data":[{"created_at":1557132674825,"config":
    {"response_type":"code",
     "realm":"kong","redirect_after_logout_uri":"\/","scope":"openid",
     "token_endpoint_auth_method":"client_secret_post",
     "client_secret":"xxxxxxxx",
     "client_id":"xxxxxxxx",
     "bearer_only":"no","ssl_verify":"no",
     "discovery":"https:\/\/dev-890645.okta.com\/oauth2\/default\/.well-known\/openid-configuration",
     "logout_path":"\/logout"},"id":"413a301b-1c3a-4d20-9f49-8c88bcf55bd1",
     "enabled":true,
     "name":"oidc","api_id":"b3569d9b-4947-4938-9208-d02fd5819443"}]}

now, when I make access to http://localhost:8000/api/v1/useradm/auth/ssologin I get expected result I'm redirect to okta for authentication and after that kong redirects to my user-service with X-Userinfo

however when I hit http://my.server.com/api/v1/useradm/auth/ssologin I'm not getting X-Userinfo in my service endpoint

( my.server.com is resolved from hosts file )

Where did I go wrong?

jgrisafe commented 4 years ago

Hi @mteodor did you ever figure this out?