search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

Authorization code is not getting passed to kong when client app is sending authorization <<>> in header instead of getting upstream server response #83

Open ayan1207 opened 5 years ago

ayan1207 commented 5 years ago

@Trojan295

We are getting below issue. we installed plugin successfully and then configured one api with oidc plugin. After than when we hit from kong proxy to that api we are getting below issue.

LOG 2018/11/21 16:14:22 [error] 15837#0: *35 [lua] openidc.lua:492: openidc_discover(): issuer field in Discovery data does not match URL, client: 10.51.204.125, server: kong, request: "POST /imapi HTTP/1.1", host: "10.144.20.240:8118"

Config we did.

"scope": "openid",
"client_id": "7db76fea-f48d-4396-89da-632625c6a435",
"discovery": "https://xx.xx.xx.xx/adfs/.well-known/openid-configuration",
"client_secret": "gahX1Oe_LNnaMb0dntiMLdQQ_8kPGLkOaakT2Npj"

},

Trojan295 commented 5 years ago

Is the issuer field in the discovery document correct? It should match the URL on, which the document is available.

ayan1207 commented 5 years ago

@Trojan295

Can you please help to get this close. Our configuration in kong plugin is like below.

"client_id": "7db76fea-f48d-4396-89da-632625c6a435", "bearer_only": "no", "ssl_verify": "no", "discovery": "https://TEST(uppercase).pocad.com/adfs/.well-known/openid-configuration", "client_secret": "gahX1Oe_LNnaMb0dntiMLdQQ_8kPGLkOaakT2Npj"

when we hit (https://test.pocad.com/adfs/.well-known/openid-configuration) URL from browser we are getting below response.

Response {"issuer":"https:\/\/TEST(Uppder case).pocad.com\/adfs","authorization_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/authorize\/","token_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/token\/","jwks_uri":"https:\/\/test.pocad.com\/adfs\/discovery\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge"],"subject_types_supported":["pairwise"],"scopes_supported":["email","user_impersonation","openid","aza","winhello_cert","profile","allatclaims","logon_cert","vpn_cert"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\/\/test.pocad.com\/adfs\/services\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\/\/test.pocad.com\/adfs\/userinfo","capabilities":[],"end_session_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true}.

Questtion 1: Is issuer URL and discovery URL is case sensitive and should match URL String?

Question 2: We change discovery URL in kong plugin same with Issuer URL( i mentioned URL of Issuer as TEST.pocad.com/adfs. and configured discovery URL in kong plugin https://TEST.pocad.com/adfs/.well-known/openid-configuration) and hit to kong proxy we are getting some Login page in response.

**

Error

JavaScript required

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

An error occurred
An error occurred. Contact your administrator for more information.
Error details
Set-AdfsWebTheme -TargetName -AdditionalFileResource @{uri='/adfs/portal/images/hrd.jpg';path='.\hrd.jpg'} // //if (typeof HRD != 'undefined') { // SetIllustrationImage('/adfs/portal/images/hrd.jpg'); //} //]]>

**

Thanks in advance!!

Trojan295 commented 5 years ago

The issuer field must be a substring of the discovery URL you put in the plugin configuration. It is case sensitive. Could you try to provide more log by running Kong with debug level logs? You can also try to put the whole Discovery URL in lowercase characters.

Besides, updating lua-resty-oidc to 1.9.0 in this plugin would solve also the problem, cause they remvoed checking this field. https://github.com/zmartzone/lua-resty-openidc/issues/219

ayan1207 commented 5 years ago

@Trojan295

  1. We have configured below details in kong-oidc plugin. And now issuer URL issue got resolved. We are now getting some "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first. We gone through https://github.com/nokia/kong-oidc/issues/1 and set session_secret (encoded password) in plugin but still we are facing below issue. Can you please help to get this close.

Config we did for plugin curl -i -X POST --url http://localhost:8115/apis/im/plugins \ --data 'name=oidc' \ --data "config.client_id=30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8" \ --data "config.client_secret=e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp" \ --data "config.discovery=https://test.pocad.com/adfs/.well-known/openid-configuration" \ --data "config.session_secret=dGliY29AMTIz"

image

DEBUG LOGS 2018/11/23 15:42:07 [debug] 23699#0: 37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/23 15:42:10 [error] 23700#0: 37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first stack traceback: coroutine 0: [C]: in function 'error' /usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex' /usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure' /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14> coroutine 1: [C]: in function 'resume' coroutine.wrap:21: in function /usr/local/share/lua/5.1/kong/init.lua:468: in function 'access' access_by_lua(nginx-kong.conf:97):2: in function <access_by_lua(nginx-kong.conf:97):1>, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118" 2018/11/23 15:42:10 [error] 23700#0: 37365 [lua] responses.lua:121: access(): /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118" 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log 2

2. Then we tried to set set $session_secret '';" in /usr/local/kong/nginx-kong.conf file and restarted kong. But after restarting kong same property is getting deleted automatically. Hence we are getting same issue.

2018/11/23 15:42:07 [debug] 23699#0: 37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/23 15:42:10 [error] 23700#0: 37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first stack traceback: coroutine 0: [C]: in function 'error' /usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex' /usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure' /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14> coroutine 1: [C]: in function 'resume' coroutine.wrap:21: in function /usr/local/share/lua/5.1/kong/init.lua:468: in function 'access' access_by_lua(nginx-kong.conf:97):2: in function <access_by_lua(nginx-kong.conf:97):1>, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118" 2018/11/23 15:42:10 [error] 23700#0: 37365 [lua] responses.lua:121: access(): /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118" 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log 2

So we tried below scenario to set session_secret but all cases we received same error log .

  1. a. Provided session_secret in plugin config.
  2. b. tried to set as env variable export kong_session_secret=XX
  3. c. Tried to set set $session_secret ''; in /usr/local/kong/nginx-kong.conf file
  4. d. tried to set session_secret in /etc/kong/kong.conf file.
  5. e. tried to set set_decode_base64 $session_secret 'XX'; in /usr/local/kong/nginx-kong.conf file
Trojan295 commented 5 years ago

Can you provide details about:

  • which Kong version are you using
  • which plugin version are you using
  • are you running Kong in HA or single node?
ayan1207 commented 5 years ago

@Trojan295

Pfb details for your reference.

  1. We are using kong 0.14.1 CE
  2. We installed kong-oidc 1.1.0 as we use "luarocks install kong-oidc " command to install kong-oidc plugin as it was mention in installation step.
  3. For development we are using single node, but in production we will be using HA Kong .

After giving decode value to session_secret in kong-oidc plugin that error goes away. Does it mean that we are successfully connected to adfs? Error.log below

018/11/26 16:04:33 [debug] 30516#0: 2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log

We have below question. Can you please help to get this clarified?

  1. Does it support adfs 3.0?
  2. What parameter (header parameter) users need to send to kong proxy when we enable kong-oidc plugin? Currently we are passing "Authorization: Basic <>" but getting failed. Not getting much info from error LOG. ( When we disable KONG-OIDC plugin upstream URL giving proper response. Looks like issue with kong-oidc plugin enable).

plugin config

{ "created_at": 1542966125000, "config": { "response_type": "code", "realm": "kong", "redirect_after_logout_uri": "/", "scope": "openid", "token_endpoint_auth_method": "client_secret_post", "client_secret": "e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp", "client_id": "30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8", "bearer_only": "no", "logout_path": "/logout", "ssl_verify": "no", "discovery": "https://test.pocad.com/adfs/.well-known/openid-configuration", "session_secret": "test@123" }

Error.log

018/11/26 16:04:33 [debug] 30516#0: 2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log

Not getting much info in this error. Could you please help us where we can check plugin related logs.

Below logs from SOAP-UI.

Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "POST /imapi HTTP/1.1[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Type: text/xml;charset=UTF-8[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "SOAPAction: "/IdentifierManager"[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Length: 541[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Host: 10.144.20.240:8118[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Connection: Keep-Alive[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " NO[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " 10[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " </ns1:getTransactionRefNumber>[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " </soapenv:Body>[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "</soapenv:Envelope>" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "HTTP/1.1 500 Internal Server Error[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Date: Mon, 26 Nov 2018 12:10:12 GMT[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Content-Type: text/plain; charset=UTF-8[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Transfer-Encoding: chunked[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Connection: close[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Server: kong/0.14.1[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "1d[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "An unexpected error occurred[\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "0[\r][\n]" Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]"

Regards

Trojan295 commented 5 years ago

The logs look good now. The header needs to be: "Authorization: Bearer <>".

I haven't tested this plugin against ADSF 3.0.

ayan1207 commented 5 years ago

@trojan295

we are not able to get response from upstream url after send Authorization: Bearer <>". But if we diable oidc plugin upstream url works fine. No error getting printed in error log.

Regards

Trojan295 commented 5 years ago

You would need to set the config.introspection_endpoint, if you want to enable passing the token in the Authorization header directly.

ayan1207 commented 5 years ago

@Trojan295

We are not trying to pass Authorization header directly to upstream api.

we are going As per your design diagram. We are not able to get the point where actually we stopped to reach to upstream Api. As per your previous comment kong and adfs connection is good.

Can you please help to get answer for below point?

  1. Client application need to send authorization grant code to kong proxy ( which parameter client application need to send in header Authorization Code<<>> to kong proxy? )
  2. Then kong will exchange grant for Access token and ID token with adfs (how we can make sure it is happening as there is no log?).
  3. After getting Access token , kong will try to get x-userinfo from adfs using access token( not sure it is happening or not? as there is no enough log)
  4. After getting x-userinfo from adfs , kong-oidc plugin will invoke upstream api and send response back to client.

Now client application is sending Authorization Code<<>> in header to kong proxy but they are getting below response where as upstream API is working fine.

**HTTP/1.1 500 Internal Server Error Date: Mon, 17 Dec 2018 07:28:03 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: kong/0.14.1

An unexpected error occurred**

ayan1207 commented 5 years ago

@Trojan295,

can you please update on this?

littlechicks commented 2 years ago

any news for this issue ?

  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.