search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

OIDC plugin always returns "invalid token" #164

Closed bijoythomask closed 4 years ago

bijoythomask commented 4 years ago

I have enabled the OIDC nokia/kong-oidcplugin globally with below for one api's with below configurations Deployment environment openshift v3.11.51 image: repository: revomatico/docker-kong-oidc tag: "2.0.4-1"

Deployed using Helm 3

{ "created_at": 1589024458, "config": { "response_type": "code", "introspection_endpoint": "https://sso:8443/auth/realms/davis/protocol/openid-connect/token/introspect", "timeout": null, "redirect_uri": null, "logout_path": "/logout", "filters": null, "disable_access_token_header": "no", "bearer_only": "yes", "access_token_header_as_bearer": "yes", "access_token_header_name": "X-Access-Token", "disable_id_token_header": "no", "ssl_verify": "no", "session_secret": null, "introspection_endpoint_auth_method": null, "groups_claim": "groups", "realm": "davis", "redirect_after_logout_uri": "/", "scope": "openid", "token_endpoint_auth_method": "client_secret_post", "client_secret": "515b87e1-9a0d-41ca-8e6e-ed7e65d65e59", "client_id": "kong", "userinfo_header_name": "X-USERINFO", "revoke_tokens_on_logout": "no", "discovery": "https://sso:8443/auth/realms/davis/.well-known/openid-configuration", "ignore_auth_filters": "", "disable_userinfo_header": "no", "id_token_header_name": "X-ID-Token", "recovery_page_path": null, "unauth_action": "auth" }, "id": "de08422d-7497-4b4a-bc38-9f45397b94a3", "service": null, "enabled": true, "protocols": [ "grpc", "grpcs", "http", "https" ], "name": "oidc", "consumer": null, "route": null, "tags": null }

However I am always getting WWW-Authenticate →Bearer realm="kong",error="invalid token"

Is there is suggestion to fix the issue

millerfrankmc commented 4 years ago

I have the same error, checking the log of kong, it returns this:

2020/05/11 18:32:01 [debug] 26 # 0: 32755 [lua] openidc.lua: 354: openidc_configure_proxy (): openidc_configure_proxy: don't use http proxy kong_1 | 2020/05/11 18:32:01 [debug] 26 # 0: 32755 [lua] openidc.lua: 409: openidc_call_token_endpoint (): introspection endpoint response: {"active": false}

any help on how to fix it?

bijoythomask commented 4 years ago

I could resolve the issue. The issue is, the key cloak validates the issuer in the token, and the endpoint used for introspection are matching. This scenario is explained in detail in the below blog. https://www.jerney.io/secure-apis-kong-keycloak-2/

millerfrankmc commented 4 years ago

thanks it worked

guhuajun commented 3 years ago

In my case, I am using docker + traefik to setup my test lab. I need to point keycloak to traefik, Otherwise, the port of Keycloak will be mismatched.

    extra_hosts:
      keycloak.app.contoso.com: 192.168.10.2