Cognito Configuration

[ledbruno]

Hello, first of all: congrats for the good job, its an awesome solution!

I´m trying to connect Kong to cognito, through this plugin but i have some questions. I did some plugin and Cognito setup and i´m stuck in this scenario:

1) Kong connects to plugin and get a Authorization code. 2) Cognito execute the call to kong with authorization code https://localhost:8443/auth-sample?code=3107ccb1-837e-4bc3-ac9f-18fef551ed53

My cognito conf:

My plugin conf: {"realm": "kong", "scope": "openid", "filters": null, "client_id": "123", "discovery": "https://cognito-idp.us-east-1.amazonaws.com/us-east-bla/.well-known/openid-configuration", "ssl_verify": "no", "bearer_only": "no", "logout_path": "/logout", "client_secret": "bla", "response_type": "code", "session_secret": "bla", "redirect_uri_path": null, "recovery_page_path": null, "introspection_endpoint": null, "redirect_after_logout_uri": "/", "token_endpoint_auth_method": "client_secret_post"}

The questions are: 1) Who is supposed to be the authorization callback? Kong, cognito or other service. My first impression is that kong should be the one, according the docs

But if kong should handle this callback, what is the endpoint/service? Should the oidc plugin be enabled for this service?

2) What does it mean this? Should i call GET /API with the authorization code? How should i pass this, which header?

[ledbruno]

An update on this, now the error is

2020/09/21 15:46:17 [error] 22#0: *426 [lua] openidc.lua:1173: authenticate(): request to the redirect_uri_path but there's no session state found,

Tried to fix with the solutioin described at https://github.com/zmartzone/lua-resty-openidc/issues/231

/usr/local/kong # cat /tmp/custom_nginx.conf

set $session_secret bla; set $session_cookie_samesite off;

The redirect from cognito to kong is si same-site=Lax

The result is

[ledbruno]

For some unknown reason, session is not correctly started. Disabling some verification on openidc.lua

Then *31970 [lua] openidc.lua:1210: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false

Everything works well.. on a first sight :)

[jacky96623]

@ledbruno May I know if you are using the Nokia Kong OIDC plugin as a route plugin? I recently tried to set up a Kong with this custom plugin and found that config.redirect_uri_path may be affecting the behaviour.

[ledbruno]

@jacky96623 its applied on a Service not a route.

I've bypassed the problem with a source code customization and changing the redirect_uri_path and scheme attributes

[gustabart]

I had the same problem and was able to fix it by setting the $session_name variable in the server block.
Why? I'm not sure. Example:

server {
  ...
  server_name proxy.localhost;
  #lua_code_cache off;      
  set $session_name nginx_session;
  location / {          
          access_by_lua_block {
            local opts = {
               redirect_uri = "http://proxy.localhost/cb",
               discovery = "http://127.0.0.1:9000/.well-known/openid-configuration",
               client_id = "proxyclient-id",
               client_secret = "secret",
               ssl_verify = "no",
               scope = "openid"
            }
            -- call authenticate for OpenID Connect user authentication
            local res, err = require("resty.openidc").authenticate(opts)

            if err then
              ngx.status = 500
              ngx.say(err)
              ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
            end

            ngx.req.set_header("X-USER", res.id_token.sub)
          }

          proxy_pass http://localhost:8080/;
          proxy_set_header x-forwarded-proto $scheme;
        }
}

Another thing to pay attention to is the lua_code_cache off directive; It could break the session. See: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off

[rzariwal]

@ledbruno what was the fix? i m having the same error request to the redirect_uri path but there's no session state found.

I m running NGINX on kubernetes.

[ledbruno]

The basic change was on other lib https://github.com/zmartzone/lua-resty-openidc

We have a lot of unrelated changes, so that's why i didn't open a Pull request with the single fix. If you really need this, please let me know and we can work a separate branch just whis this.

[JokerDevops]

This was resolved by setting set $session_secret 623q4hR325t36VsCD3g567922IC0073T; and set $session_name nginx_session;