Closed millermatt closed 1 year ago
Full config as downloaded from the admin api and converted to yaml
- tags: null
route: null
config:
header_claims:
- claims
disable_userinfo_header: no
post_logout_redirect_uri: null
userinfo_header_name: X-USERINFO
introspection_endpoint: null
disable_access_token_header: no
scope: openid
ssl_verify: "false"
response_type: code
access_token_header_name: X-Access-Token
access_token_as_bearer: no
client_id: my-client
id_token_header_name: X-ID-Token
session_secret: null
recovery_page_path: null
bearer_only: no
use_jwks: no
header_names:
- permissions
timeout: 10000
client_secret: abcdefg12345678
skip_already_auth_requests: no
redirect_uri: null
ignore_auth_filters: null
redirect_after_logout_uri: /
realm: kong
validate_scope: no
filters: null
bearer_jwt_auth_signing_algs:
- RS256
discovery: https://my-server/my-service/.well-known/openid-configuration
redirect_after_logout_with_id_token_hint: no
bearer_jwt_auth_allowed_auds:
- aud
unauth_action: auth
disable_id_token_header: no
bearer_jwt_auth_enable: "false"
introspection_endpoint_auth_method: client_secret_post
introspection_cache_ignore: no
token_endpoint_auth_method: client_secret_post
groups_claim: groups
logout_path: /logout
revoke_tokens_on_logout: no
created_at: 1.682357555e+09
id: f91dfa34-abcd-1234-90b3-1ca02dd0793a
protocols:
- grpc
- grpcs
- http
- https
service:
id: 3553b6a5-abcd-1234-8563-4e0dff783478
consumer: null
name: oidc
enabled: true
I'm not sure why I need to turn off SSL verification when my discover url has a valid non-self-signed cert and there is no proxy involved, but the fix was to use ssl_verify: "no"
rather than ssl_verify: "false"
.
From the readme:
I get this error even though "ssl_verify" is false and the remote server certificate is a valid CA endorsed cert.
My oidc plugin config as yaml is below. I convert it to json before creating/updating the plugin.
I can curl to
https://my-server/my-service/.well-known/openid-configuration
from my Kong Kubernetes pod without needing the--insecure
flag, and curl returns the discovery json.I'm not sure why the oidc plugin is complaining about certificates.
Any ideas?