Closed mteodor closed 5 years ago
Good morning, you have used the admin domain "dev-890645-admin.okta.com" in your discovery URL while this resolves successfully the issuer is your tenant address dev-890645.okta.com.
Try changing the value for config.discovery as follows and let us know if it resolves the error.
https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration
thanks, that resolved one problem and now I ran into another after trying to access the application from the example ( header-origin ) on localhost:8000 I'm redirected to okta login page and after successful authentication I get error page
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Apr 04 10:22:21 UTC 2019
There was an unexpected error (type=Forbidden, status=403).
Access Denied
[localhost.txt](https://github.com/oktadeveloper/okta-kong-origin-example/files/3043024/localhost.txt)
[localhost.txt](https://github.com/oktadeveloper/okta-kong-origin-example/files/3043025/localhost.txt)
here is the kong log
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => client_secret_basic
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_post
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1203: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"mirko mirko","iat":1554373231,"iss":"https:\/\/dev-890645.okta.com\/oauth2\/default","aud":"0oaez9z9tu95rEI5d356","idp":"00odqmy78hrj72VvL356","amr":["pwd"],"user.email":"mirkot@mirkot.com","exp":1554376831,"sub":"00udqwk76vzTH8GeN356","jti":"ID.-k8AMAvLB2pkz79H0u24A8Ky3TD3LEUtdC4VB0ktTBs","auth_time":1554373211,"nonce":"09b13251250d316d936a84764b808cef","at_hash":"14W1gwaOYtdrEnaQ0k0GtA"}
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] handler.lua:25: access(): OidcHandler done
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
172.18.0.1 - - [04/Apr/2019:10:21:11 +0000] "GET / HTTP/1.1" 403 299 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
2019/04/04 10:21:13 [debug] 50#0: *4487 [lua] cluster_events.lua:231: [cluster_events] polling events from: 1554372973.319 to: 1554373273.381
2019/04/04 10:21:13 [debug] 50#0: *4487 [lua] cluster.lua:428: next_coordinator(): [lua-cassandra] load balancing policy chose host at kong-database
here is the har file from chrome localhost.zip
From the kong log it looks like your id token is missing the 'groups' claim, a sample from my log is below:
2019/04/05 08:38:09 [debug] 25#0: *79 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"AndyMarch","iat":1554453487,"iss":"https:\/\/examply.okta-emea.com\/oauth2\/aus2cokm8uBPD9UH90i7","aud":"0oa2colm6gWR8XvqE0i7","idp":"00o2az2ierqKuOT0D0i7","amr":["pwd"],"groups":["Everyone","users"],"user.email":"andy.march@okta.com","exp":1554457087,"sub":"00u2az2ifn8RX4ryQ0i7","jti":"ID.1qs9BJ_chHWZAm6ujF7xDICSTdW814b_wqf6U7S7n1U","auth_time":1554451257,"nonce":"dfb2d7c4e264f84cdcf1d07c6e05488c","at_hash":"83zPttLgxIkwX_G1RLavXw"}
2019/04/05 08:38:09 [debug] 25#0: *79 [lua] handler.lua:25: access(): OidcHandler done
The java app maps this claim to an object to the determine which pages you have access to. Its worth noting as well there is currently a PR open which might be impacting the parsing of the header provided by Kong. Take a look at this change which might explain your generic error.
this is my setting, group claim seems to configured
I've configured the system based on steps provided here with few problems on the way ( problem with luarocks and problem with kong not being installed in the docker image)
Last cmmand I ran
In the end when I tried to access the application I'm getting this error openidc_discover(): issuer field in Discovery data does not match URL, client: 172.21.0.1