Not accepting Authorization Header

[BaloMueller]

Hello,

we are running a Kong 1.5 with this kong-oidc plugin. For Auth we are running a Keycloak Service.

Normal requests with a browser are working perfectly. The first time to an Ingress the user gets redirected to the login page, after login the user can use the service.

Now we want to be able to send Requests using an API/cUrl. Therefore I retrieve a JWT and send it using the following command: curl -H 'Accept: application/json' -H "Authorization: Bearer $TOKEN" https://api.host.com/echo/ -i -L

As a result, I get redirected to the auth endpoint, which in turn asks me to login:

HTTP/2 302
date: Fri, 14 Feb 2020 12:07:50 GMT
content-type: text/html
content-length: 110
location: https://auth.host.com/auth/realms/users/protocol/openid-connect/auth?response_type=code&client_id=users-kong&state=3ee1c1c1eba001c0a4793113a4b7b39a&redirect_uri=https%3A%2F%2Fapi.host.com%2Fecho&nonce=9d5087eeaa15f81c10eb20db096c6091&scope=openid
set-cookie: session=dDSJcboEzlvDJz82MILWzw..|1581685670|bEP7I5rj-OV-Cqoyo7ahHeM_C2ftnIMVg_zZW1wvJDaYdDunXH-Uvv1OofDpBvPIMXETW2zsMvUsYOqHI2hWpvOIB4ALS2LVcdu4vUL4NzBPXJG9-NH0cGby8XfR8aOwqjK1gSOjrYUmUJyjrIFp_EHCBprtoB7b1q_zqkvZFNfj3xFrzQwIMcapar-moIbBb_nyBtsbvm_zdgXidp1dOQ..|btsKjY78zs8rmbcJ95xZGqDPi-U.; Path=/; SameSite=Lax; Secure; HttpOnly
cache-control: no-cache, no-store, max-age=0
x-kong-response-latency: 31
server: kong/1.5.0

HTTP/2 200
content-type: text/html;charset=utf-8
content-length: 3929
cache-control: no-store, must-revalidate, max-age=0
set-cookie: AUTH_SESSION_ID=8d5e1b68-3855-4510-bcbd-68f65145ed9f.keycloak-0; Version=1; Path=/auth/realms/users/; Secure; HttpOnly
set-cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3MmQ4MjI1Ny1hNjU3LTRkY2QtYjE4Yy02MmYzNDAwN2I0MWMifQ.eyJjaWQiOiJ1c2Vycy1rb25nIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cHM6Ly9hcGkucmFwaXRhZy5jb20vZWNobyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLnJhcGl0YWcuY29tL2F1dGgvcmVhbG1zL3VzZXJzIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2FwaS5yYXBpdGFnLmNvbS9lY2hvIiwic3RhdGUiOiIzZWUxYzFjMWViYTAwMWMwYTQ3OTMxMTNhNGI3YjM5YSIsIm5vbmNlIjoiOWQ1MDg3ZWVhYTE1ZjgxYzEwZWIyMGRiMDk2YzYwOTEifX0.8FLhVsK7FD3gZpKfGJcRnD4hnUN2p7wxwCQtO9Wr3NE; Version=1; Path=/auth/realms/users/; Secure; HttpOnly
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
content-security-policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
date: Fri, 14 Feb 2020 12:07:50 GMT
x-robots-tag: none
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
content-language: en
x-kong-upstream-latency: 8
x-kong-proxy-latency: 0
via: kong/1.5.0

<html of login page>

We defined the introspection_endpoint which is was expecting to solve the problem, though nothing changed.

Can you help me? What am I doing wrong?

Thanks a lot!

[lyndon160]

I think I've seen something similar.

Out of interest, does it work for other javascript based clients?

Here's an example of a node version, just input your token and url.

`var https = require('follow-redirects').https; var fs = require('fs');

var options = { 'method': 'GET', 'hostname': 'XXXXXX', 'path': '/XXXX', 'headers': { 'Content-Type': 'application/json', 'Authorization': 'Bearer TOKEN' }, 'maxRedirects': 20 };

var req = https.request(options, function (res) { var chunks = [];

res.on("data", function (chunk) { chunks.push(chunk); });

res.on("end", function (chunk) { var body = Buffer.concat(chunks); console.log(body.toString()); });

res.on("error", function (error) { console.error(error); }); });

var postData = JSON.stringify({});

req.write(postData);

req.end();`

[BaloMueller]

We were able to fix the problem. The issue was, that the introspection endpoint wasn't set correct. I was expecting, that the value for introspect was taken from the .well_known configuration, which it does not.

[canattofilipe]

@BaloMueller I am facing the same problem, would be possible you detail the solution ?, how can I set correctly the introspection_endpoint ?.

I mapped the introspection_endpoint from .well_known to kong-oidc properties bu it is still not working.

[BaloMueller]

I set the following properties: introspection_endpoint: https:///auth/realms//protocol/openid-connect/token/introspect introspection_endpoint_auth_method: client_secret_post