Closed xwrs closed 6 years ago
Hello,
The plugin was created to be used with UI applications, cause the tokens are stored in encrypted cookies and used only by Kong, so you need to login from Kong.
Although we added an option to cover the use case you have. You can add the JWT token your SPA has to the Authorization header, when making requests to your API:
Authorization: Bearer
@Trojan295 thanks for quick response. Trying to use Bearer token obtained separately in postman - Kong redirects all requests to Login page. Same behavior for config.bearer_only == yes/no. Is config.introspection_endpoint required to be set if config.bearer_only == yes?
Yes, config.introspection_endpoint
is required to get this functionality working. This was an experimental feature and I wasn't sure how to solve it. The introspection endpoint can be fetched from the Discovery Document, but this wasn't implemented, so you need to set the introspection endpoint explicitly.
@Trojan295 , thanks. Everything works as expected. Obtained token can be used to pass the authorization. Azure AD SSO we are using does not provide introspection endpoint though, so it was created as a standalone service behind Kong. Thanks a lot
standalone service behind Kong. Thanks a lot
hello @xwrs , Could you please share some pointers behind the custom Azure AD SSO introspection endpoint that you managed to create and have the ODIC plugin work with that ,
Hello,
I have integrated an oidc plugin to our Kong installation. I am using Azure Active directory SSO. When I open url to my API resource I am getting redirected to login page and after authentication at MS SSO I am getting redirected to my resource (GET operation). Everything seems to be as expected.
However, my API have to be used from single-page application hosted on another server.
My question may be absolutely silly. What is expected to happen on SPA or any other client (e.g. mobile app, e2e tests, etc.) to make it's code be able to call my API?
In my case SPA has it's own authentication happening on the same Azure AD SSO. But when I integrate my API to it's client code - Kong (with OIDC plugin) redirects calls to SSO Login page and I see CORS-related errors during the redirect.
This is a dead-end, but the very existence of your plugin makes me think that I am using it wrong. There should be use cases for calling API from external consumers. Thanks