Open ayan1207 opened 5 years ago
Is the issuer
field in the discovery document correct? It should match the URL on, which the document is available.
@Trojan295
Can you please help to get this close. Our configuration in kong plugin is like below.
"client_id": "7db76fea-f48d-4396-89da-632625c6a435", "bearer_only": "no", "ssl_verify": "no", "discovery": "https://TEST(uppercase).pocad.com/adfs/.well-known/openid-configuration", "client_secret": "gahX1Oe_LNnaMb0dntiMLdQQ_8kPGLkOaakT2Npj"
when we hit (https://test.pocad.com/adfs/.well-known/openid-configuration) URL from browser we are getting below response.
Response {"issuer":"https:\/\/TEST(Uppder case).pocad.com\/adfs","authorization_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/authorize\/","token_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/token\/","jwks_uri":"https:\/\/test.pocad.com\/adfs\/discovery\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge"],"subject_types_supported":["pairwise"],"scopes_supported":["email","user_impersonation","openid","aza","winhello_cert","profile","allatclaims","logon_cert","vpn_cert"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\/\/test.pocad.com\/adfs\/services\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\/\/test.pocad.com\/adfs\/userinfo","capabilities":[],"end_session_endpoint":"https:\/\/test.pocad.com\/adfs\/oauth2\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true}.
Questtion 1: Is issuer URL and discovery URL is case sensitive and should match URL String?
Question 2: We change discovery URL in kong plugin same with Issuer URL( i mentioned URL of Issuer as TEST.pocad.com/adfs. and configured discovery URL in kong plugin https://TEST.pocad.com/adfs/.well-known/openid-configuration) and hit to kong proxy we are getting some Login page in response.
**
JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.
To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.
**
Thanks in advance!!
The issuer
field must be a substring of the discovery URL you put in the plugin configuration. It is case sensitive. Could you try to provide more log by running Kong with debug level logs? You can also try to put the whole Discovery URL in lowercase characters.
Besides, updating lua-resty-oidc to 1.9.0 in this plugin would solve also the problem, cause they remvoed checking this field. https://github.com/zmartzone/lua-resty-openidc/issues/219
@Trojan295
We have configured below details in kong-oidc plugin. And now issuer URL issue got resolved. We are now getting some "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first. We gone through https://github.com/nokia/kong-oidc/issues/1 and set session_secret (encoded password) in plugin but still we are facing below issue. Can you please help to get this close.
Config we did for plugin curl -i -X POST --url http://localhost:8115/apis/im/plugins \ --data 'name=oidc' \ --data "config.client_id=30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8" \ --data "config.client_secret=e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp" \ --data "config.discovery=https://test.pocad.com/adfs/.well-known/openid-configuration" \ --data "config.session_secret=dGliY29AMTIz"
DEBUG LOGS
2018/11/23 15:42:07 [debug] 23699#0: 37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558
2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/23 15:42:10 [error] 23700#0: 37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex'
/usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure'
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14>
coroutine 1:
[C]: in function 'resume'
coroutine.wrap:21: in function
2. Then we tried to set set $session_secret '';" in /usr/local/kong/nginx-kong.conf file and restarted kong. But after restarting kong same property is getting deleted automatically. Hence we are getting same issue.
2018/11/23 15:42:07 [debug] 23699#0: 37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558
2018/11/23 15:42:10 [debug] 23700#0: 37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/23 15:42:10 [error] 23700#0: 37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex'
/usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure'
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14>
coroutine 1:
[C]: in function 'resume'
coroutine.wrap:21: in function
So we tried below scenario to set session_secret but all cases we received same error log .
Can you provide details about:
@Trojan295
Pfb details for your reference.
After giving decode value to session_secret in kong-oidc plugin that error goes away. Does it mean that we are successfully connected to adfs? Error.log below
018/11/26 16:04:33 [debug] 30516#0: 2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
We have below question. Can you please help to get this clarified?
plugin config
{ "created_at": 1542966125000, "config": { "response_type": "code", "realm": "kong", "redirect_after_logout_uri": "/", "scope": "openid", "token_endpoint_auth_method": "client_secret_post", "client_secret": "e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp", "client_id": "30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8", "bearer_only": "no", "logout_path": "/logout", "ssl_verify": "no", "discovery": "https://test.pocad.com/adfs/.well-known/openid-configuration", "session_secret": "test@123" }
Error.log
018/11/26 16:04:33 [debug] 30516#0: 2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter 2018/11/26 16:04:35 [debug] 30514#0: 2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
Not getting much info in this error. Could you please help us where we can check plugin related logs.
Below logs from SOAP-UI.
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "POST /imapi HTTP/1.1[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Type: text/xml;charset=UTF-8[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "SOAPAction: "/IdentifierManager"[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Length: 541[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Host: 10.144.20.240:8118[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "
Regards
The logs look good now. The header needs to be: "Authorization: Bearer <>".
I haven't tested this plugin against ADSF 3.0.
@trojan295
we are not able to get response from upstream url after send Authorization: Bearer <>". But if we diable oidc plugin upstream url works fine. No error getting printed in error log.
Regards
You would need to set the config.introspection_endpoint
, if you want to enable passing the token in the Authorization header directly.
@Trojan295
We are not trying to pass Authorization header directly to upstream api.
we are going As per your design diagram. We are not able to get the point where actually we stopped to reach to upstream Api. As per your previous comment kong and adfs connection is good.
Can you please help to get answer for below point?
Now client application is sending Authorization Code<<>> in header to kong proxy but they are getting below response where as upstream API is working fine.
**HTTP/1.1 500 Internal Server Error Date: Mon, 17 Dec 2018 07:28:03 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: kong/0.14.1
An unexpected error occurred**
@Trojan295,
can you please update on this?
any news for this issue ?
@Trojan295
We are getting below issue. we installed plugin successfully and then configured one api with oidc plugin. After than when we hit from kong proxy to that api we are getting below issue.
LOG 2018/11/21 16:14:22 [error] 15837#0: *35 [lua] openidc.lua:492: openidc_discover(): issuer field in Discovery data does not match URL, client: 10.51.204.125, server: kong, request: "POST /imapi HTTP/1.1", host: "10.144.20.240:8118"
Config we did.
},