search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

Missing config.anonymous parameter for multi-authentification #79

Open Obimka opened 5 years ago

Obimka commented 5 years ago

As far as I can see, the plugin's missing the parameter "anonymous" to implement it in a multi-authorization method in kong.

Trojan295 commented 5 years ago

Could you elaborate more about this issue? Do you mean a scenario, where there are multiple authentication methods on Kong enabled?

Obimka commented 5 years ago

Exactly. Kong documentation specify a parameter "anonymous" (id of Customer) used to redirect to when the authentification failed.

JakeCodeStuff commented 5 years ago

I need this added as well, here are the docs: https://docs.konghq.com/0.14.x/auth/#multiple-authentication https://docs.konghq.com/0.14.x/auth/#anonymous-access Basically they have a scheme where you can set all of your authentication plugins to allow anonymous access for a specific consumer (by id) and then you can set the request termination plugin on that consumer. In that scheme, you can "chain" multiple authentication plugins and it will use the first successful plugin used, or if all fail, it will allow the anaymous consumer which will ultimately get blocked by the request termination plugin, thus disallowing unauthorized access.

JakeCodeStuff commented 5 years ago

Spent the morning hacking up a solution, unfortunately we are actively using Kong 14.1 CE, so I tested/developed against that, using Kong 14.1 source code (OAuth2 plugin) as my guide. If desired I can updated it for the latest 1.X. Heres a link to what I did: https://github.com/JakeEmo/kong-oidc/commit/f0c573c6488e513ed84b2ebbb2086fd0fb3a2933

ahoulgrave commented 4 years ago

Also having this issue.

https://github.com/gbbirkisson/kong-plugin-jwt-keycloak allows this feature.

Check for config.anonymous:

An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure 4xx. Please note that this value must refer to the Consumer id attribute which is internal to Kong, and not its custom_id.

This exact feature is what is missing.

ahoulgrave commented 4 years ago

Ok, opened https://github.com/nokia/kong-oidc/pull/160

Example configuration:

_format_version: "1.1"
services:
  - name: test-service
    url: http://my-service-endpoint
    plugins:
      - name: oidc
        config:
          client_id: my-client-id
          client_secret: my_client_super_secret
          discovery: https://auth.example.com/auth/realms/master/.well-known/openid-configuration
          anonymous: 996f6f74-4233-4f45-b5ea-9209892facd1
    routes:
      - name: test-route
        paths:
          - /
        preserve_host: true
consumers:
  - username: anonymous_users
    id: 996f6f74-4233-4f45-b5ea-9209892facd1

you get the headers:

x-anonymous-consumer: "true"
x-consumer-id: "996f6f74-4233-4f45-b5ea-9209892facd1"
x-consumer-username: "anonymous_users"

Tested with this dockerfile:

FROM kong:2.0

ENV KONG_PLUGINS=bundled,oidc
ENV KONG_LOG_LEVEL=debug

USER root

RUN apk add --no-cache zip git && \
    luarocks install https://raw.githubusercontent.com/ahoulgrave/kong-oidc/allow-anonymous/kong-oidc-1.1.0-0.rockspec

USER kong

Which you can use until a final solution comes up.

Edit: fixed luarocks install url