revomatico / kong-oidc Goto Github PK
View Code? Open in Web Editor NEWThis project forked from nokia/kong-oidc
OIDC plugin for Kong
License: Apache License 2.0
kong-oidc's People
Stargazers
Watchers
Forkers
mascarenhas vrouet nagra-insight hanlaur shanesoh avinashpandit jessicuzwhynot pedrovsn prashantn86 mtverraen landorg allupaku p-rchan thanhlcm90 fullscript ruiengana ikethecoder robincher flex-altmraut arkasai prashanth-unity iqz-systems gutek pankajjava12 gbulanov-attraqt avinet yangboyd dcbrainorg diep-it-dn thg-harveynash 3keyroman mrmm pyasmani jvanderneutstulen raviverma-ai potatoshoe gate1106 jaydanielsen fuzzy-one mattoddie numericaltechnologies vitorhugoro1 zjjfly cuotos nashtech-vietvuhoang1 argentinaluiz minimoi mustafaaozcan segantii wirbe1 jarodriguezc93 alewisfm deependera seprokof s44-automotive ahumblenerd salahberiani ibizq kedarkekan quicksign cadscombustiblelemons factoryfixinc acarbonel-coexya cloudbeds namesjc mateuspmello lfriboulet andrevtg michaeltansg civilcoder55 dannykruitbosch albertoielpokong-oidc's Issues
How to install kong-oidc in kong 3.xx
How can I install kong-oidc in kong 3.x.x
this is my error
stack traceback: [C]: in function 'error' /usr/local/share/lua/5.1/kong/tools/utils.lua:701: in function 'load_module_if_exists' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas' /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init' init_by_lua:3: in main chunk
frontchannel logout with firefox not working
Hello,
It seems frontchannel logout with firefox doesn't remove all session info.
After the first logout from the web app, every login attempt end up with a kong error page.
If I remove all cookies or use a private window then login works fine.
The keycloak session is removed
There is no issue with chrome/chromium.
I tried different version of firefox.
I compared cookies handling between firefox and chrome. I didn't notice any difference.
There is an error in kong log:
state from argument: .... does not match state restored from session
I tried hard-coding the session_secret (as advised in some lua-resty-openidc issue) but it didn't fix anything.
Did someone manage to have oidc working with firefox ?
(partial) deck yaml config:
- hosts:
- {{myhost}}
name: myroute
paths:
- /
- /logout
plugins:
- config:
access_token_as_bearer: 'yes'
access_token_header_name: Authorization
bearer_only: 'no'
client_id: myclientid
client_secret: xxxxxxxxxx
session_secret: xxxxxxxxxxx
discovery: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
introspection_endpoint: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect
introspection_endpoint_auth_method: client_secret_post
ssl_verify: 'no'
realm: MY-APP
logout_path: /logout
revoke_tokens_on_logout: 'yes'
redirect_after_logout_uri: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout?post_logout_redirect_uri=https://{{myhost}}
redirect_after_logout_with_id_token_hint: 'yes'
response_type: code token
name: oidc
protocols:
- https
strip_path: falsekeycloak client config:
{
"clientId": "myclient",
"name": "",
"description": "Client used by kong plugins oidc",
"rootUrl": "",
"adminUrl": "",
"baseUrl": "https://{{myhost}}",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "xxxxxxxxxxxxxxxxx",
"redirectUris": [
"",
"https://{{myauthhost}}/",
"https://{{myauthhost}}",
"https://{{myauthhost}}/*",
"https://{{myhost}}",
"https://{{myhost}}/",
"https://{{myhost}}/*"
],
"webOrigins": [
"",
"+"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"login_theme": "my-app",
"frontchannel.logout.url": "https://{{myhost}}/logout",
"post.logout.redirect.uris": "+",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "false",
"exclude.session.state.from.auth.response": "false",
"tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "false",
"client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
"display.on.consent.screen": "false",
"token.response.type.bearer.lower-case": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
},
{
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientId",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientId",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}kong log for first logout with firefox
2023/01/23 16:22:49 [debug] 515215#0: *13338495 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515215#0: *13338639 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:632: start(): session is already started
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb-cc-dd-ee&client_id=client_id&token_type_hint=access_token&client_secret=myclientsecret
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response:
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:59 [debug] 515215#0: *13338783 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
kong log for logout with chromium
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:611: open(): cookie found
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:632: start(): session is already started
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb&token_type_hint=access_token&client_id={{myclient}}&client_secret={{my_client_secret}}
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response:
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:640: start(): session not present
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:646: start(): session created
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:48 [debug] 515220#0: *13305529 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
kong_log_chromium_second_login.txt
kong_log_firefox_second_login.txt
how to authenticate without redirecting to login screen?
I set up an environment with keycloak, kong and a microservice.
I'm using Insomnia to test the endpoints, I've already configured OAuth2 and generated an Access Token and Refresh Token. I would like Kong instead of redirecting me to the Keycloak login screen, already using the Access Token to authorize.
How can I do this?
Raw OIDC Plugin
{
"route": null,
"name": "oidc",
"consumer": null,
"service": {
"id": "31a0235e-0291-4958-b827-e72566e69f27"
},
"tags": null,
"id": "57240b4d-2ccb-4c28-96c1-61bfda81247f",
"enabled": true,
"config": {
"skip_already_auth_requests": "no",
"timeout": null,
"discovery": "http://service-keycloak:8080/realms/develop/.well-known/openid-configuration",
"bearer_jwt_auth_enable": "yes",
"groups_claim": "groups",
"header_names": [],
"header_claims": [],
"disable_userinfo_header": "no",
"filters": null,
"introspection_endpoint": null,
"disable_access_token_header": "no",
"access_token_header_name": "X-Access-Token",
"access_token_as_bearer": "yes",
"disable_id_token_header": "no",
"introspection_cache_ignore": "no",
"id_token_header_name": "X-ID-Token",
"scope": "openid",
"unauth_action": "auth",
"ignore_auth_filters": null,
"logout_path": "/logout",
"revoke_tokens_on_logout": "no",
"redirect_after_logout_uri": "/",
"bearer_only": "yes",
"post_logout_redirect_uri": null,
"ssl_verify": "no",
"realm": "kong",
"validate_scope": "no",
"redirect_uri": null,
"redirect_after_logout_with_id_token_hint": "no",
"session_secret": null,
"introspection_endpoint_auth_method": null,
"client_id": "administracao",
"bearer_jwt_auth_signing_algs": [
"RS256"
],
"token_endpoint_auth_method": "client_secret_post",
"bearer_jwt_auth_allowed_auds": null,
"response_type": "code",
"use_jwks": "no",
"client_secret": "MZmTbQrVvOKZbE7eS2B1VnhsomekWuyZ",
"userinfo_header_name": "X-USERINFO",
"recovery_page_path": null
},
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"created_at": 1666014812
}OIDC Kong / Keycloak
I am trying to use your plugin to connect keycloak 19.0.2 with kong 3.0.0, but the introspection step seems not to be working properly as Kong always returns when I try to access to an API:
{
"message": "Unauthorized"
}
When I execute the request for introspection manually from Postman, it works perfectly using basic authentication (client_id and client_secret as user and password in the header, and the token in the body), so my assumption is that Keycloak expects this structure of request.
With this purpose, I have configured the OIDC plugin (using Konga by the way) defining the value of the field "token endpoint auth method" as "client_secret_basic".
After doing this, when I try to access the API, in the logs I can see the message:
2022/10/18 07:47:48 [debug] 1378#0: *190 [lua] openidc.lua:515: call_token_endpoint(): request body for introspection endpoint call: client_secret=(my client secret)&token=(my token)&client_id=(my client id)
Apparently, client_secret_basic is behaving as client_secret_post including the client_id and client_secret in the body instead of sending this info in the header as Keycloak expects.
Am I doing something wrong?
Thanks in advance for your support.
How to change session timeout time
What is the default session timeout for this plugin and is there any way to change it as I don't see any setting for that?
OIDC plugin with PKCE code_challenge config?
Hello,
Does OIDC plugin support adding random string a code challange in authorize call for IDP that support clients for authorization flow with PKCE?
We are using a confidential client with client id and client secret for OIDC plugin; however the client for react app is public client that uses PKCE. We observed that kong-oidc during 302 redirection creates a location that UI needs to invoke; however, since the code_challenge is missing from /authorize call, the IDP will fail the request with 400 bad request
Stuck in the starting of kong
Error: /usr/local/share/lua/5.1/kong/tools/utils.lua:708: error loading module 'kong.plugins.oidc.handler':
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: module 'kong.plugins.base_plugin' not found:No LuaRocks module found for kong.plugins.base_plugin
I installed the plugin via luarocks install oicd
also tried to follow this tutorial: https://dev.to/robincher/securing-your-site-via-oidc-powered-by-kong-and-keycloak-2ccc
in my kong.conf I am using plugins = bundled,oidc
How can I get this working? Is it a dependency issue?
request to the redirect_uri path but there's no session state found
Hi,
I'm using latest Kong gateway with this plugin. I've created the service, route and plugin (I've also added the additional service and route to check if the connection without oidc plugin is working).
My hostnames are:
http://kong-gateway/ (gateway)
http://kong-admin/ (as an admin api)
http://example-service/
http://kong-gateway/example-service redirects to example service without OIDC and
http://kong-gateway/example-oidc redirects to example service with OIDC
REDIRECT URI for oidc plugin is **http://kong-gateway/example-oidc
# SERVICES
# add service with OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-oidc"' \
--form 'url="http://example-service:8080"
# add service without OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-service"' \
--form 'url="http://example-service:8080"'
# ROUTES
# add route for service with OIDC
curl --location 'http://kong-admin:8001/services/example-oidc/routes' \
--form 'paths[]="/example-oidc"' \
--form 'name="example-oidc-route"'
# add route for service without OIDC
curl --location 'http://kong-admin:8001/services/example-service/routes' \
--form 'paths[]="/example-service"' \
--form 'name="example-service-route"'
# PLUGIN
curl --location 'http://kong-admin:8001/services/example-oidc/plugins' \
--form 'name="oidc"' \
--form 'config.client_id="CLIENT_ID"' \
--form 'config.client_secret="CLIENT_SECRET"' \
--form 'config.discovery="https://OPENID-SERVER/.well-known/openid-configuration"' \
--form 'config.redirect_uri="http://kong-gateway/"'After successful redirect, I am getting:
request to the redirect_uri path but there's no session state found.
What am I missing here?
Problem in parsing claim having type of table
Hi, There seems to be some problem with following piece of code in utils.lua script line 180
for i = 1, #header_names do
local header, claim
header = header_names[i]
claim = header_claims[i]
kong.service.request.clear_header(header)
for j = 1, #sources do
local source
source = sources[j]
if (source and source[claim]) then
kong.service.request.set_header(header, source[claim])
break
end
end
end
This piece of code will break if the claim has value type as table and because it will expect values to be either string or some other type and for this I think it need error handling
Connection refused when accessing discovery url
I am running revomatico/docker-kong-oidc:3.2.2-3 with keycloak using docker-compose.
I am getting this error:
openidc.lua:573: openidc_discover(): accessing discovery url (http://keycloak:8080/auth/realms/master/.well-known/openid-configuration) failed: connection refused
Have tried to curl the discovery url from kong shell and managed to get the response from keycloak. Can I check why lua is still throwing this error?
Can this plugin be used with no `client_secret`?
Hello there,
One of the things that I noticed while configuring this plugin is the config.client_secret parameter being required.
Is there a way to make it optional to use the plugin with public clients (like a SPA) where you can't store the client_secret securely?
Perhaps is something that I'm missing or not fully understanding.
Thanks in advance!
Strange issue when disabling cloudflare
Hi.
We are experiencing a strange issue with this plugin. As long as we have enabled cloudflare proxy & load-balancers things are working fine.
As soon as we disable it we cannot login anymore. We are getting a timeout from keycloak:
2022/06/21 09:46:05 [error] 1372#0: *1305092 [lua] openidc.lua:529: call_token_endpoint(): accessing token endpoint (https://auth-playground4.example.com/auth/realms/example/protocol/openid-connect/token) failed: timeout, client: 78.47.233.153, server: kong, request: "GET /cb?state=c640ddeba2f46fd1e50367c4989bbaed&session_state=1b37cad0-66c6-4336-b795-c2635eb4b5f5&code=1a3d69ef-708f-4d62-9596-7f98e0b4d4b1.1b37cad0-66c6-4336-b795-c2635eb4b5f5.417b7905-3b29-4d93-96fd-4cedfd11bdca HTTP/2.0", host: "app-playground4.example.com"
keycloak output doesn't really tell me a lot.
Any idea what might be causing this?
keycloak log:
[0m13:37:43,077 TRACE [org.keycloak.events] (default task-3) type=CLIENT_LOGIN, realmId=example, clientId=example, userId=8e8a476e-a0d0-4865-b270-e166070a8af5, ipAddress=10.42.0.106, token_id=39982fb1-e649-4eb1-ac63-0dee6c6656a4, grant_type=client_credentials, scope='profile email', client_auth_method=client-secret, username=service-account-example, authSessionParentId=95651253-a04f-457c-a737-d9863c9fe4ec, authSessionTabId=-AjWZ1F1LVM, requestUri=https://auth-playground.example.com/auth/realms/example/protocol/openid-connect/token, stackTrace=
[email protected]//org.keycloak.events.log.JBossLoggingEventListenerProvider.logEvent(JBossLoggingEventListenerProvider.java:114)
[email protected]//org.keycloak.events.EventListenerTransaction.commitImpl(EventListenerTransaction.java:62)
[email protected]//org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:48)
[email protected]//org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)
[email protected]//org.keycloak.services.filters.AbstractRequestFilter.close(AbstractRequestFilter.java:64)
[email protected]//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:49)
[email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
[email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
[email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
[email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
[email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
[email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
[email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
[email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
[email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
[email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
[email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
[email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
[email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
[email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
[email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
[email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
[email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
[email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
[email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
[email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
[email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
[email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
[email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
[email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
[email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
[email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
X-Forward-Proto is always http
Hello everyone!
I recently enable a service behind kong-oidc that is dependent on a X-Forwarded-Proto Header, but it misbehaved since it was always receiving X-Forwarded-Proto set to HTTP even though the client was using HTTPS to communicate with the Kong gateway
To overwrite the header I used a Kong Post-Function plugin. That made it work.
Do you think this is a bug?
Using the plugin behind Corporate Proxy
Hi,
I've been using the plugin on my test set-up without any issues. When trying to use it behind corporate proxy, the discovery url cannot be accessed and times out.
The proxy is set through env no_proxy, http_proxy and https_proxy. Sadly, it looks like the plugin does not use them and tries to access the discovery url directly.
Is there a way to pass these params to the plugin used (lua-resty-openidc - https://github.com/zmartzone/lua-resty-openidc)
-- proxy_opts = {
-- http_proxy = "http://<proxy_host>:<proxy_port>/",
-- https_proxy = "http://<proxy_host>:<proxy_port>/"
-- }This has been an open PR for the official kong-oidc by Nokia (https://github.com/nokia/kong-oidc/pull/85/files), however, revomatico is not nokia :)
If this use-case currently isnt possible, please let me know if I can support implementing it.
Chain 2 kong-oidc
Hello,
We are looking to use this plugin to handle our auth but we would need to chain 2 instances of it in an "or" manner.
From what I understand, the partial chaining with config.skip_already_auth_requests only works with official plugins because they have a higher priority.
Is there any way to use this plugin that way without having to implement the full config.anomyous approach?
Sorry if I missed something in the documentation or in the code...
"unable to get local issuer certificate" with valid public cert on remote server and "ssl_verify" set to false
I get this error even though "ssl_verify" is false and the remote server certificate is a valid CA endorsed cert.
2023/04/21 18:53:22 [error] 1116#0: *69200 [lua] openidc.lua:573: openidc_discover(): accessing
discovery url (https://my-server/my-service/.well-known/openid-configuration) failed: 20:
unable to get local issuer certificate, client: 1.2.3.4, server: kong, request:
"GET /my-other-service HTTP/1.1", host: "my-other-server"
My oidc plugin config as yaml is below. I convert it to json before creating/updating the plugin.
# required
client_id: '<redacted>'
client_secret: '<redacted>'
discovery: https://my-server/my-service/.well-known/openid-configuration
# optional
ssl_verify: "false"
timeout: 10000
introspection_endpoint_auth_method: client_secret_post
bearer_jwt_auth_enable: "yes"
bearer_jwt_auth_allowed_auds:
- aud
header_names:
- permissions
header_claims:
- claims
I can curl to https://my-server/my-service/.well-known/openid-configuration from my Kong Kubernetes pod without needing the --insecure flag, and curl returns the discovery json.
I'm not sure why the oidc plugin is complaining about certificates.
Any ideas?
Scope Validation is not working. Is a feature or dead code?
From what I see here in handler.lua, it's possible to pass multiple scopes to the plugin configuration and asks it to validate if the returned token has these scopes, is that correct?
https://github.com/revomatico/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L126
But it seems that this code only supports 1 scope, not multiple scopes.
I was wondering if this is a hidden feature, or is just some dead code that was left behind. I would be interested in submiting a PR if that's welcome.
no X-Userinfo and X-Access-Token
i only get session cookie in my app i dont get x-userinfo and x-access-token
and that the oicd config
{
"next": null,
"data": [
{
"id": "ebff355a-ecdc-41b3-a240-d42f08a3b6c2",
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"enabled": true,
"config": {
"groups_claim": "groups",
"header_names": [],
"header_claims": [],
"disable_userinfo_header": "no",
"userinfo_header_name": "X-USERINFO",
"ssl_verify": "no",
"revoke_tokens_on_logout": "no",
"disable_access_token_header": "no",
"access_token_as_bearer": "no",
"disable_id_token_header": "no",
"id_token_header_name": "X-ID-Token",
"unauth_action": "auth",
"recovery_page_path": null,
"bearer_only": "no",
"use_jwks": "no",
"client_secret": "dbBPlZ2gm2oVIaZ8Gtijr9RcMY9xrDo4",
"introspection_endpoint_auth_method": null,
"introspection_cache_ignore": "no",
"redirect_uri": null,
"response_type": "code",
"scope": "openid",
"ignore_auth_filters": "",
"logout_path": "/logout",
"redirect_after_logout_uri": "https://host:8180/auth/realms/kong/protocol/openid-connect/logout?redirect_uri=https://146.59.240.225",
"discovery": "http://host:8180/realms/kong/.well-known/openid-configuration",
"bearer_jwt_auth_allowed_auds": null,
"timeout": null,
"client_id": "kong-oicd",
"session_secret": null,
"skip_already_auth_requests": "no",
"bearer_jwt_auth_signing_algs": [
"RS256"
],
"access_token_header_name": "X-Access-Token",
"token_endpoint_auth_method": "client_secret_post",
"bearer_jwt_auth_enable": "no",
"realm": "kong",
"filters": null,
"introspection_endpoint": "http://host:8180/auth/realms/kong/protocol/openid-connect/token/introspect"
},
"tags": null,
"created_at": 1666421915,
"route": null,
"consumer": null,
"name": "oidc",
"service": null
}
]
}
and my goal is to get the current logged in user in my backend for some required logic dose this mean when i send request from my app to my api the x-userinfo and X-Access-Token will be available in the request header ?
using keycloack 19.0.3
Improve logout logic
Hi guys
First of all, thank you very much for doing such a good work with this plugin ๐ . I write this issue here, because the original repository is not supported and I'm using yours.
I created a PR to add more parameters to schema so it will be possible to configure logout. Now there are several problems:
- There are no possibility to revoce
access_tokenandid_token. It's possible withrevoke_tokens_on_logoutsetting (this setting exists inschema.lua, but not processed inutils.lua). - No possibility to redirect to desired page after redirecting to
logoutendpoint of OIDC provider (it's implemented inlua-resty-openidchttps://github.com/zmartzone/lua-resty-openidc/blob/7d72f45117c1da472664ff9d10de573343d56d7b/lib/resty/openidc.lua#L1331). It's possible now withpost_logout_redirect_urisetting. - Don't know about other providers, but Okta requires
id_token_hintto be present in logout request. It's possible withredirect_after_logout_with_id_token_hintsetting.
It would be great if you can review changes in this PR #16
Websocket introspect support
Websocket protocol does not allow to add headers like Authorization. Can we support checking for access_token even in query params? Something on below lines:
function M.has_bearer_access_token()
local header = ngx.req.get_headers()['Authorization']
if header and header:find(" ") then
local divider = header:find(' ')
if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then
return true
end
end
local args = ngx.req.get_uri_args()
for key, val in pairs(args) do
if key == "access_token" then
local token = formatAsBearerToken(val)
ngx.req.set_header('Authorization', token) // "resty.openidc".introspect - also does not allow query param usage
return true
end
end
return false
end
Expected filename in format 'name-version-revision.rockspec'
RUN git clone https://github.com/revomatico/kong-oidc.git
WORKDIR /kong-oidc
RUN luarocks make
#9 0.592
#9 0.592 Error: Expected filename in format 'name-version-revision.rockspec'.
executor failed running [/bin/sh -c luarocks make]: exit code: 1
ERROR: Service 'kong' failed to build : Build failed
bearer_jwt_auth_enable: Access token not passed upstream
Hi there! Thanks for maintaining this plugin, it helps a lot!
When the option bearer_jwt_auth_enable is used the verified access token is not passed upstream. Is this by design?
Our use case is using a token with multiple API gateways potentially being chained where the token typically is passed as Authorization header. When using the bearer_jwt_auth_enable option the token does not reach the upstream server.
See
kong-oidc/kong/plugins/oidc/handler.lua
Lines 36 to 43 in d0d7a2b
And the other location when the oidc cycle is being done where the access token is set
kong-oidc/kong/plugins/oidc/handler.lua
Line 78 in d0d7a2b
Thanks!
Update docker image
According to Kong/kong@0291c3c constant CREDENTIAL_USERNAME was removed.
That causes error while using revomatico/docker-kong-oidc:latest docker image
2022/09/29 11:48:25 [error] 1370#0: *593 [kong] init.lua:290 [oidc] /usr/local/share/lua/5.1/kong/plugins/oidc/utils.lua:122: header must be a string, client: 172.18.0.1, server: kong, request: "POST /data HTTP/1.1", host: "127.0.0.1:5100"
Repo was updated 431df6b
But published version is 1.3.0-2, not 1.3.0-3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.