search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 321 forks source link

API behind plugin use-cases understanding #48

Closed xwrs closed 6 years ago

xwrs commented 6 years ago

Hello,

I have integrated an oidc plugin to our Kong installation. I am using Azure Active directory SSO. When I open url to my API resource I am getting redirected to login page and after authentication at MS SSO I am getting redirected to my resource (GET operation). Everything seems to be as expected.

However, my API have to be used from single-page application hosted on another server.

My question may be absolutely silly. What is expected to happen on SPA or any other client (e.g. mobile app, e2e tests, etc.) to make it's code be able to call my API?

In my case SPA has it's own authentication happening on the same Azure AD SSO. But when I integrate my API to it's client code - Kong (with OIDC plugin) redirects calls to SSO Login page and I see CORS-related errors during the redirect.

This is a dead-end, but the very existence of your plugin makes me think that I am using it wrong. There should be use cases for calling API from external consumers. Thanks

Trojan295 commented 6 years ago

Hello, The plugin was created to be used with UI applications, cause the tokens are stored in encrypted cookies and used only by Kong, so you need to login from Kong. Although we added an option to cover the use case you have. You can add the JWT token your SPA has to the Authorization header, when making requests to your API: Authorization: Bearer

xwrs commented 6 years ago

@Trojan295 thanks for quick response. Trying to use Bearer token obtained separately in postman - Kong redirects all requests to Login page. Same behavior for config.bearer_only == yes/no. Is config.introspection_endpoint required to be set if config.bearer_only == yes?

Trojan295 commented 6 years ago

Yes, config.introspection_endpoint is required to get this functionality working. This was an experimental feature and I wasn't sure how to solve it. The introspection endpoint can be fetched from the Discovery Document, but this wasn't implemented, so you need to set the introspection endpoint explicitly.

xwrs commented 6 years ago

@Trojan295 , thanks. Everything works as expected. Obtained token can be used to pass the authorization. Azure AD SSO we are using does not provide introspection endpoint though, so it was created as a standalone service behind Kong. Thanks a lot

rush2subbu commented 4 years ago

standalone service behind Kong. Thanks a lot

hello @xwrs , Could you please share some pointers behind the custom Azure AD SSO introspection endpoint that you managed to create and have the ODIC plugin work with that ,