Kong lets requests through after token invalidation

[jerneyio]

I'm running Kong 0.14.x using the latest version of the kong-oidc plugin and am seeing some unexpected behavior when I log out all active sessions from my OIDC Provider (in this case, Keycloak). Both Kong and Keycloak are running in docker containers, as is the protected resource.

Expected Behavior: When logging out all active sessions from the OIDC Provider, I would expect Kong to then require all subsequent requests to a protected resource to go through authentication again.

Actual Behavior: When logging out all active sessions from the OIDC Provider, Kong allows previously authenticated clients to make requests to the protected resources.

I wanted to make sure this wasn't a bug with Keycloak's logout mechanism before I bugged you all, so I set up one of their quickstart projects (app-authz-rest-springboot), authenticated a user, and made requests to the protected resource with the valid access token. Then, I logged out all active sessions from the OIDC Provider. All subsequent requests returned a 403, since the access token was invalidated.

Any idea of what might be going on here? Also, I'm happy to take time looking into this issue myself, but I'm not clear where in the code that Kong is validating access tokens against the auth server.

Edit: Assuming token validation is happening here, https://github.com/nokia/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L47

[jerneyio]

I think the problem is illustrated in this diagram: https://github.com/nokia/kong-oidc/blob/master/docs/kong_oidc_flow.png

"From this point on, Kong stores the session in a cookie and the login procedure isn't required"

While I think it's OK that the login procedure isn't required (who would want to login for EVERY request, after all?), there does need to be a validation of the access_token on every request. Else how can the OIDC Provider invalidate tokens?

[Trojan295]

In general - you cannot invalidate an JWT token, after it's signed. Validating of a JWT token works without an active participation of the OIDC Provider - the OIDC RP simply checks the signature of the token. In such case logging out from the session on the OIDC Provider doesn't change anything - the JWT token is still valid till it expires (that's why it's a good practice to set small lifespans for them, e.g. 5 minutes).

Alternative way would be to ask Keycloak every time, if the token is valid. Is this case the logout on the OIDC Provider would propagate instantly, but this generates more queries to the OIDC Provider.

This plugin is using https://github.com/zmartzone/lua-resty-openidc and it's validating the signature of the token. You could try to ask there.

[jerneyio]

Thanks for the response and the good info. Sounds like I have more research I need to do! Feel free to close this if it is clearly not a bug.

[A1Darkwing]

Hi @jerneyio, I got the same issue reported here. How about your solution? Adding more logic in upstream server to verify access token? I am still thinking about the solution... :( Just want to hear your ideas 💃 Thanks :D

[A1Darkwing]

Hi @jerneyio , I got Trojan point..He want to set the short expire time for the token..And after we Logout all session of the user in Keycloak, we just need to wait the time of token expired...I think the best thing we can do is just wait 1 min...

[mssaisandeep]

Did anyone find any solution for token introspection with OIDC Provider(Keycloak) for every request? Did anyone find any solution for authorization of endpoints based on permissions in the token?

Please, I couldn't able to get a solution anywhere. So I posted here. Please bare some time and provide me some insights.

Thanks

[mssaisandeep]

Any update on this guys.