problem with authentication

[mteodor]

I've configured the system based on steps provided here with few problems on the way ( problem with luarocks and problem with kong not being installed in the docker image)

Last cmmand I ran

    config.client_id="0oaez9z9xxxxxxrEI5d356" \
    config.client_secret="zA7_VEz2SxxxxxxgRjIupKkAeYqxL3QYZfbE" \
    config.discovery="https://dev-890645-admin.okta.com/oauth2/default/.well-known/openid-configuration"

In the end when I tried to access the application I'm getting this error openidc_discover(): issuer field in Discovery data does not match URL, client: 172.21.0.1

User-Agent: lua-resty-http/0.08 (Lua) ngx_lua/10008
Host: dev-890645-admin.okta.com`

`2019/04/02 18:04:24 [debug] 54#0: *15102 [lua] openidc.lua:485: openidc_discover(): response data: {"issuer":"https://dev-890645.okta.com/oauth2/default","authorization_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/authorize","token_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/token","userinfo_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/userinfo","registration_endpoint":"https://dev-890645.okta.com/oauth2/v1/clients","jwks_uri":"https://dev-890645.okta.com/oauth2/default/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","profile","email","address","phone","offline_access"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2019/04/02 18:04:24 [error] 54#0: *15102 [lua] openidc.lua:492: openidc_discover(): issuer field in Discovery data does not match URL, client: 172.21.0.1, server: kong, request: "GET /favicon.ico HTTP/1.1", host: "localhost:8000"
2019/04/02 18:04:24 [debug] 54#0: *15102 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter

[andymarch]

Good morning, you have used the admin domain "dev-890645-admin.okta.com" in your discovery URL while this resolves successfully the issuer is your tenant address dev-890645.okta.com.

Try changing the value for config.discovery as follows and let us know if it resolves the error. https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration

[mteodor]

thanks, that resolved one problem and now I ran into another after trying to access the application from the example ( header-origin ) on localhost:8000 I'm redirected to okta login page and after successful authentication I get error page

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Thu Apr 04 10:22:21 UTC 2019
There was an unexpected error (type=Forbidden, status=403).
Access Denied
[localhost.txt](https://github.com/oktadeveloper/okta-kong-origin-example/files/3043024/localhost.txt)
[localhost.txt](https://github.com/oktadeveloper/okta-kong-origin-example/files/3043025/localhost.txt)

here is the kong log

2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => client_secret_basic
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_post
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1203: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"mirko mirko","iat":1554373231,"iss":"https:\/\/dev-890645.okta.com\/oauth2\/default","aud":"0oaez9z9tu95rEI5d356","idp":"00odqmy78hrj72VvL356","amr":["pwd"],"user.email":"mirkot@mirkot.com","exp":1554376831,"sub":"00udqwk76vzTH8GeN356","jti":"ID.-k8AMAvLB2pkz79H0u24A8Ky3TD3LEUtdC4VB0ktTBs","auth_time":1554373211,"nonce":"09b13251250d316d936a84764b808cef","at_hash":"14W1gwaOYtdrEnaQ0k0GtA"}
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] handler.lua:25: access(): OidcHandler done
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/04/04 10:21:11 [debug] 49#0: *4034 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
172.18.0.1 - - [04/Apr/2019:10:21:11 +0000] "GET / HTTP/1.1" 403 299 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
2019/04/04 10:21:13 [debug] 50#0: *4487 [lua] cluster_events.lua:231: [cluster_events] polling events from: 1554372973.319 to: 1554373273.381
2019/04/04 10:21:13 [debug] 50#0: *4487 [lua] cluster.lua:428: next_coordinator(): [lua-cassandra] load balancing policy chose host at kong-database

here is the har file from chrome localhost.zip

[andymarch]

From the kong log it looks like your id token is missing the 'groups' claim, a sample from my log is below:

2019/04/05 08:38:09 [debug] 25#0: *79 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"AndyMarch","iat":1554453487,"iss":"https:\/\/examply.okta-emea.com\/oauth2\/aus2cokm8uBPD9UH90i7","aud":"0oa2colm6gWR8XvqE0i7","idp":"00o2az2ierqKuOT0D0i7","amr":["pwd"],"groups":["Everyone","users"],"user.email":"andy.march@okta.com","exp":1554457087,"sub":"00u2az2ifn8RX4ryQ0i7","jti":"ID.1qs9BJ_chHWZAm6ujF7xDICSTdW814b_wqf6U7S7n1U","auth_time":1554451257,"nonce":"dfb2d7c4e264f84cdcf1d07c6e05488c","at_hash":"83zPttLgxIkwX_G1RLavXw"}
2019/04/05 08:38:09 [debug] 25#0: *79 [lua] handler.lua:25: access(): OidcHandler done

The java app maps this claim to an object to the determine which pages you have access to. Its worth noting as well there is currently a PR open which might be impacting the parsing of the header provided by Kong. Take a look at this change which might explain your generic error.

[mteodor]

this is my setting, group claim seems to configured