ahhduy
commented
1 year ago I have same question.
Open filipeversehgi opened 1 year ago
ahhduy
commented
1 year ago I have same question.
ruiengana
commented
1 year ago Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.
ahhduy
commented
1 year ago Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.
Thank for your reply.
This is my config oidc:
{ "protocols": [ "grpc", "grpcs", "http", "https" ], "config": { "realm": "kong", "redirect_after_logout_uri": "/", "unauth_action": "auth", "discovery": "http://192.168.11.11:8080/realms/kong/.well-known/openid-configuration", "recovery_page_path": null, "timeout": null, "response_type": "code", "use_jwks": "yes", "session_secret": null, "bearer_jwt_auth_signing_algs": [ "RS256" ], "ssl_verify": "no", "client_secret": "3hE3tAofmFe28inrPe7AygsXf6fxmlLf", "redirect_uri": null, "header_names": [], "client_id": "kong_client", "filters": null, "skip_already_auth_requests": "no", "redirect_after_logout_with_id_token_hint": "no", "bearer_jwt_auth_allowed_auds": null, "validate_scope": "yes", "bearer_jwt_auth_enable": "no", "token_endpoint_auth_method": "client_secret_post", "introspection_cache_ignore": "no", "post_logout_redirect_uri": null, "groups_claim": "groups", "ignore_auth_filters": null, "header_claims": [], "disable_userinfo_header": "no", "id_token_header_name": "X-ID-Token", "userinfo_header_name": "X-USERINFO", "introspection_endpoint": "http://192.168.11.11:8080/realms/kong/protocol/openid-connect/token/introspect", "revoke_tokens_on_logout": "no", "scope": "openid", "bearer_only": "no", "disable_access_token_header": "no", "introspection_endpoint_auth_method": "client_secret_basic", "access_token_header_name": "X-Access-Token", "access_token_as_bearer": "no", "disable_id_token_header": "no", "logout_path": "/logout" }, "tags": null, "enabled": true, "route": null, "name": "oidc", "created_at": 1678863921, "consumer": null, "id": "2cf01a39-4d0d-4c4f-8b9d-7a048594d4f6", "service": { "id": "34a0c1b0-1cac-4e9c-a09d-cf5e2a3eb7db" } }I visit the configured route in kong with browser i get redirected to keycloak to authenticate and after success i can see my endpoint (anyuser I created in keycloak can access this endpoint through the browser). But when I using this code to get access token and connect to endpoint I got error:
{"message":"Forbidden"}#!/bin/bash
auth_url='http://localhost:8080/' realm_name='kong' client_id='kong_client' client_secret='3hE3tAofmFe28inrPe7AygsXf6fxmlLf' username='duypa' password='123456aA' url='http://localhost:8000/httpbin2'
token=$(curl -X POST \ "${auth_url}/realms/${realm_name}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=${client_id}" \ -d "client_secret=${client_secret}" \ -d "username=${username}" \ -d "password=${password}" \ -d "grant_type=password" | jq -r '.access_token') echo $token curl -X GET \ "${url}" \ -H "Authorization: Bearer ${token}"
And after I check the access token, I don't see any value "openid" in scope. Maybe i made a mistake?
Note that if I change the config.scope same like jwt access_token i get and remove default config "openid". I can connect to the endpoint with that code normally. But in browser , I got error. Thank u for reply.Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.
ahhduy
commented
1 year ago Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.
I see. Thank you for your answer.
From what I see here in handler.lua, it's possible to pass multiple scopes to the plugin configuration and asks it to validate if the returned token has these scopes, is that correct?
https://github.com/revomatico/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L126
But it seems that this code only supports 1 scope, not multiple scopes.
I was wondering if this is a hidden feature, or is just some dead code that was left behind. I would be interested in submiting a PR if that's welcome.