Git Product home page Git Product logo

kong-oidc's Introduction

What is Kong OIDC plugin

Join the chat at https://gitter.im/nokia/kong-oidc

Continuous Integration: Build Status Coverage Status

kong-oidc is a plugin for Kong implementing the OpenID Connect Relying Party (RP) functionality.

It authenticates users against an OpenID Connect Provider using OpenID Connect Discovery and the Basic Client Profile (i.e. the Authorization Code flow).

It maintains sessions for authenticated users by leveraging lua-resty-openidc thus offering a configurable choice between storing the session state in a client-side browser cookie or use in of the server-side storage mechanisms shared-memory|memcache|redis.

Note: at the moment, there is an issue using memcached/redis, probably due to session locking: the sessions freeze. Help to debug this is appreciated. I am currently using shared memory to store sessions.

It supports server-wide caching of resolved Discovery documents and validated Access Tokens.

It can be used as a reverse proxy terminating OAuth/OpenID Connect in front of an origin server so that the origin server/services can be protected with the relevant standards without implementing those on the server itself.

The introspection functionality adds capability for already authenticated users and/or applications that already possess access token to go through kong. The actual token verification is then done by Resource Server.

How does it work

The diagram below shows the message exchange between the involved parties.

alt Kong OIDC flow

The X-Userinfo header contains the payload from the Userinfo Endpoint

X-Userinfo: {"preferred_username":"alice","id":"60f65308-3510-40ca-83f0-e9c0151cc680","sub":"60f65308-3510-40ca-83f0-e9c0151cc680"}

The plugin also sets the ngx.ctx.authenticated_credential variable, which can be using in other Kong plugins:

ngx.ctx.authenticated_credential = {
    id = "60f65308-3510-40ca-83f0-e9c0151cc680",   -- sub field from Userinfo
    username = "alice"                             -- preferred_username from Userinfo
}

For successfully authenticated request, possible (anonymous) consumer identity set by higher priority plugin is cleared as part of setting the credentials.

The plugin will try to retrieve the user's groups from a field in the token (default groups) and set kong.ctx.shared.authenticated_groups so that Kong authorization plugins can make decisions based on the user's group membership.

Dependencies

kong-oidc depends on the following package:

Installation

If you're using luarocks execute the following:

 luarocks install kong-oidc

[Kong >= 0.14] Since KONG_CUSTOM_PLUGINS has been removed, you also need to set the KONG_PLUGINS environment variable to include besides the bundled ones, oidc

 export KONG_PLUGINS=bundled,oidc

Usage

Parameters

Parameter Default Required description
name true plugin name, has to be oidc
config.client_id true OIDC Client ID
config.client_secret true OIDC Client secret
config.discovery https://.well-known/openid-configuration false OIDC Discovery Endpoint (/.well-known/openid-configuration)
config.scope openid false OAuth2 Token scope. To use OIDC it has to contains the openid scope
config.ssl_verify false false Enable SSL verification to OIDC Provider
config.session_secret false Additional parameter, which is used to encrypt the session cookie. Needs to be random
config.introspection_endpoint false Token introspection endpoint
config.timeout false OIDC endpoint calls timeout
config.introspection_endpoint_auth_method client_secret_basic false Token introspection authentication method. resty-openidc supports client_secret_(basic|post)
config.bearer_only no false Only introspect tokens without redirecting
config.realm kong false Realm used in WWW-Authenticate response header
config.logout_path /logout false Absolute path used to logout from the OIDC RP
config.unauth_action auth false What action to take when unauthenticated
- auth to redirect to the login page and attempt (re)authenticatation,
- deny to stop with 401
config.recovery_page_path false Path of a recovery page to redirect the user when error occurs (except 401). To not show any error, you can use '/' to redirect immediately home. The error will be logged server side.
config.ignore_auth_filters false A comma-separated list of endpoints to bypass authentication for
config.redirect_uri false A relative or absolute URI the OP will redirect to after successful authentication
config.userinfo_header_name X-Userinfo false The name of the HTTP header to use when passing the UserInfo to the upstream server
config.id_token_header_name X-ID-Token false The name of the HTTP header to use when passing the ID Token to the upstream server
config.access_token_header_name X-Access-Token false The name of the HTTP header to use when passing the Access Token to the upstream server
config.access_token_as_bearer no false Whether or not the access token should be passed as a Bearer token
config.disable_userinfo_header no false Disable passing the Userinfo to the upstream server
config.disable_id_token_header no false Disable passing the ID Token to the upstream server
config.disable_access_token_header no false Disable passing the Access Token to the upstream server
config.groups_claim groups false Name of the claim in the token to get groups from
config.skip_already_auth_requests no false Ignore requests where credentials have already been set by a higher priority plugin such as basic-auth
config.bearer_jwt_auth_enable no false Authenticate based on JWT (ID) token provided in Authorization (Bearer) header. Checks iss, sub, aud, exp, iat (as in ID token). config.discovery must be defined to discover JWKS
config.bearer_jwt_auth_allowed_auds false List of JWT token aud values allowed when validating JWT token in Authorization header. If not provided, uses value from config.client_id
config.bearer_jwt_auth_signing_algs [ 'RS256' ] false List of allowed signing algorithms for Authorization header JWT token validation. Must match to OIDC provider and resty-openidc supported algorithms
config.header_names false List of custom upstream HTTP headers to be added based on claims. Must have same number of elements as config.header_claims. Example: [ 'x-oidc-email', 'x-oidc-email-verified' ]
config.header_claims false List of claims to be used as source for custom upstream headers. Claims are sourced from Userinfo, ID Token, Bearer JWT, Introspection, depending on auth method. Use only claims containing simple string values. Example: [ 'email', 'email_verified'
config.http_proxy false http proxy url
config.https_proxy false https proxy url (only supports url format http://proxy and not https://proxy)

Enabling kong-oidc

To enable the plugin only for one API:

POST /apis/<api_id>/plugins/ HTTP/1.1
Host: localhost:8001
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

name=oidc&config.client_id=kong-oidc&config.client_secret=29d98bf7-168c-4874-b8e9-9ba5e7382fa0&config.discovery=https%3A%2F%2F<oidc_provider>%2F.well-known%2Fopenid-configuration

To enable the plugin globally:

POST /plugins HTTP/1.1
Host: localhost:8001
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

name=oidc&config.client_id=kong-oidc&config.client_secret=29d98bf7-168c-4874-b8e9-9ba5e7382fa0&config.discovery=https%3A%2F%2F<oidc_provider>%2F.well-known%2Fopenid-configuration

A successful response:

HTTP/1.1 201 Created
Date: Tue, 24 Oct 2017 19:37:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.11.0

{
    "created_at": 1508871239797,
    "config": {
        "response_type": "code",
        "client_id": "kong-oidc",
        "discovery": "https://<oidc_provider>/.well-known/openid-configuration",
        "scope": "openid",
        "ssl_verify": "no",
        "client_secret": "29d98bf7-168c-4874-b8e9-9ba5e7382fa0",
        "token_endpoint_auth_method": "client_secret_post"
    },
    "id": "58cc119b-e5d0-4908-8929-7d6ed73cb7de",
    "enabled": true,
    "name": "oidc",
    "api_id": "32625081-c712-4c46-b16a-5d6d9081f85f"
}

Upstream API request

For successfully authenticated request, the plugin will set upstream header X-Credential-Identifier to contain sub claim from user info, ID token or introspection result. Header X-Anonymous-Consumer is cleared.

The plugin adds a additional X-Userinfo, X-Access-Token and X-Id-Token headers to the upstream request, which can be consumer by upstream server. All of them are base64 encoded:

GET / HTTP/1.1
Host: netcat:9000
Connection: keep-alive
X-Forwarded-For: 172.19.0.1
X-Forwarded-Proto: http
X-Forwarded-Host: localhost
X-Forwarded-Port: 8000
X-Real-IP: 172.19.0.1
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: session=KOn1am4mhQLKazlCA.....
X-Userinfo: eyJnaXZlbl9uYW1lIjoixITEmMWaw5PFgcW7xbnEhiIsInN1YiI6ImM4NThiYzAxLTBiM2ItNDQzNy1hMGVlLWE1ZTY0ODkwMDE5ZCIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwibmFtZSI6IsSExJjFmsOTxYHFu8W5xIYiLCJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOiJjODU4YmMwMS0wYjNiLTQ0MzctYTBlZS1hNWU2NDg5MDAxOWQifQ==
X-Access-Token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGenFSY0N1Ry13dzlrQUJBVng1ZG9sT2ZwTFhBNWZiRGFlVDRiemtnSzZRIn0.eyJqdGkiOiIxYjhmYzlkMC1jMjlmLTQwY2ItYWM4OC1kNzMyY2FkODcxY2IiLCJleHAiOjE1NDg1MTA4MjksIm5iZiI6MCwiaWF0IjoxNTQ4NTEwNzY5LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjk6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiJhNmE3OGQ5MS01NDk0LTRjZTMtOTU1NS04NzhhMTg1Y2E0YjkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJrb25nIiwibm9uY2UiOiJmNGRkNDU2YzBjZTY4ZmFmYWJmNGY4ZDA3YjQ0YWE4NiIsImF1dGhfdGltZSI6…IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.GWuguFjSEDGxw_vbD04UMKxtai15BE2lwBO0YkSzp-NKZ2SxAzl0nyhZxpP0VTzk712nQ8f_If5-mQBf_rqEVnOraDmX5NOXP0B8AoaS1jsdq4EomrhZGqlWmuaV71Cnqrw66iaouBR_6Q0s8bgc1FpCPyACM4VWs57CBdTrAZ2iv8dau5ODkbEvSgIgoLgBbUvjRKz1H0KyeBcXlVSgHJ_2zB9q2HvidBsQEIwTP8sWc6er-5AltLbV8ceBg5OaZ4xHoramMoz2xW-ttjIujS382QQn3iekNByb62O2cssTP3UYC747ehXReCrNZmDA6ecdnv8vOfIem3xNEnEmQw
X-Id-Token: eyJuYmYiOjAsImF6cCI6ImtvbmciLCJpYXQiOjE1NDg1MTA3NjksImlzcyI6Imh0dHA6XC9cLzE5Mi4xNjguMC45OjgwODBcL2F1dGhcL3JlYWxtc1wvbWFzdGVyIiwiYXVkIjoia29uZyIsIm5vbmNlIjoiZjRkZDQ1NmMwY2U2OGZhZmFiZjRmOGQwN2I0NGFhODYiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImF1dGhfdGltZSI6MTU0ODUxMDY5NywiYWNyIjoiMSIsInNlc3Npb25fc3RhdGUiOiJiNDZmODU2Ny0zODA3LTQ0YmMtYmU1Mi1iMTNiNWQzODI5MTQiLCJleHAiOjE1NDg1MTA4MjksImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwianRpIjoiMjI1ZDRhNDItM2Y3ZC00Y2I2LTkxMmMtOGNkYzM0Y2JiNTk2Iiwic3ViIjoiYTZhNzhkOTEtNTQ5NC00Y2UzLTk1NTUtODc4YTE4NWNhNGI5IiwidHlwIjoiSUQifQ==

Standard OpenID Connect Scopes and Claims

The OpenID Connect Core 1.0 profile specifies the following standard scopes and claims:

Scope Claim(s)
openid sub. In an ID Token, iss, aud, exp, iat will also be provided.
profile Typically claims like name, family_name, given_name, middle_name, preferred_username, nickname, picture and updated_at
email email and email_verified (boolean) indicating if the email address has been verified by the user

Note that the openid scope is a mandatory designator scope.

Description of the standard claims

Claim Type Description
iss URI The Uniform Resource Identifier uniquely identifying the OpenID Connect Provider (OP)
aud string / array The intended audiences. For ID tokens, the identity token is one or more clients. For Access tokens, the audience is typically one or more Resource Servers
nbf integer Not before timestamp in Unix Epoch time*. May be omitted or set to 0 to indicate that the audience can disregard the claim
exp integer Expires timestamp in Unix Epoch time*
name string Preferred display name. Ex. John Doe
family_name string Last name. Ex. Doe
given_name string First name. Ex. John
middle_name string Middle name. Ex. Donald
nickname string Nick name. Ex. Johnny
preferred_username string Preferred user name. Ex. johdoe
picture base64 A Base-64 encoded picture (typically PNG or JPEG) of the subject
updated_at integer A timestamp in Unix Epoch time*

* (Seconds since January 1st 1970).

Passing the Access token as a normal Bearer token

To pass the access token to the upstream server as a normal Bearer token, configure the plugin as follows:

Key Value
config.access_token_header_name Authorization
config.access_token_as_bearer yes

Development

Running Unit Tests

To run unit tests, run the following command:

./bin/run-unit-tests.sh

This may take a while for the first run, as the docker image will need to be built, but subsequent runs will be quick.

Building the Integration Test Environment

To build the integration environment (Kong with the oidc plugin enabled, and Keycloak as the OIDC Provider), you will first need to find your computer's IP, and assign that to the environment variable IP. Finally, you will run the ./bin/build-env.sh command. Here's an example:

export IP=192.168.0.1
./bin/build-env.sh

To tear the environment down:

./bin/teardown-env.sh

kong-oidc's People

Contributors

brudnyhenry avatar cr1cr1 avatar cristichiru avatar csatarigergely avatar cspeidel avatar deependera avatar diep-it-dn avatar dmitrysleptsov avatar dogeared avatar gitter-badger avatar gutek avatar gwind avatar hanlaur avatar jerneyio avatar larsw avatar lodrantl avatar mstg avatar pavel-mikhalchuk avatar phirvone avatar ruiengana avatar shanesoh avatar stianhaugland1 avatar tommilligan avatar trojan295 avatar tsyrjanen avatar xwrs avatar yorinasub17 avatar zhangyuan avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mascarenhas vrouet nagra-insight hanlaur shanesoh avinashpandit jessicuzwhynot pedrovsn prashantn86 mtverraen landorg allupaku p-rchan thanhlcm90 fullscript ruiengana ikethecoder flex-altmraut arkasai prashanth-unity iqz-systems gutek pankajjava12 gbulanov-attraqt avinet yangboyd dcbrainorg diep-it-dn thg-harveynash 3keyroman mrmm pyasmani jvanderneutstulen raviverma-ai potatoshoe gate1106 jaydanielsen fuzzy-one mattoddie numericaltechnologies vitorhugoro1 zjjfly cuotos nashtech-vietvuhoang1 argentinaluiz minimoi mustafaaozcan segantii wirbe1 jarodriguezc93 alewisfm deependera seprokof s44-automotive ahumblenerd salahberiani ibizq kedarkekan quicksign cadscombustiblelemons factoryfixinc acarbonel-coexya cloudbeds namesjc mateuspmello lfriboulet andrevtg michaeltansg civilcoder55 dannykruitbosch albertoielpo arifhamid97 tiagogoddard utkarsh-agr aistechspace

kong-oidc's Issues

Strange issue when disabling cloudflare

Hi.
We are experiencing a strange issue with this plugin. As long as we have enabled cloudflare proxy & load-balancers things are working fine.
As soon as we disable it we cannot login anymore. We are getting a timeout from keycloak:

2022/06/21 09:46:05 [error] 1372#0: *1305092 [lua] openidc.lua:529: call_token_endpoint(): accessing token endpoint (https://auth-playground4.example.com/auth/realms/example/protocol/openid-connect/token) failed: timeout, client: 78.47.233.153, server: kong, request: "GET /cb?state=c640ddeba2f46fd1e50367c4989bbaed&session_state=1b37cad0-66c6-4336-b795-c2635eb4b5f5&code=1a3d69ef-708f-4d62-9596-7f98e0b4d4b1.1b37cad0-66c6-4336-b795-c2635eb4b5f5.417b7905-3b29-4d93-96fd-4cedfd11bdca HTTP/2.0", host: "app-playground4.example.com"

keycloak output doesn't really tell me a lot.

Any idea what might be causing this?

keycloak log:

[0m13:37:43,077 TRACE [org.keycloak.events] (default task-3) type=CLIENT_LOGIN, realmId=example, clientId=example, userId=8e8a476e-a0d0-4865-b270-e166070a8af5, ipAddress=10.42.0.106, token_id=39982fb1-e649-4eb1-ac63-0dee6c6656a4, grant_type=client_credentials, scope='profile email', client_auth_method=client-secret, username=service-account-example, authSessionParentId=95651253-a04f-457c-a737-d9863c9fe4ec, authSessionTabId=-AjWZ1F1LVM, requestUri=https://auth-playground.example.com/auth/realms/example/protocol/openid-connect/token, stackTrace=
    [email protected]//org.keycloak.events.log.JBossLoggingEventListenerProvider.logEvent(JBossLoggingEventListenerProvider.java:114)
    [email protected]//org.keycloak.events.EventListenerTransaction.commitImpl(EventListenerTransaction.java:62)
    [email protected]//org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:48)
    [email protected]//org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)
    [email protected]//org.keycloak.services.filters.AbstractRequestFilter.close(AbstractRequestFilter.java:64)
    [email protected]//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:49)
    [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
    [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    [email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
    [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
    [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    [email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    [email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    [email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
    [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
    [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
    [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
    [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
    [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
    [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
    [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)

Improve logout logic

Hi guys

First of all, thank you very much for doing such a good work with this plugin 😃 . I write this issue here, because the original repository is not supported and I'm using yours.

I created a PR to add more parameters to schema so it will be possible to configure logout. Now there are several problems:

  1. There are no possibility to revoce access_token and id_token. It's possible with revoke_tokens_on_logout setting (this setting exists in schema.lua, but not processed in utils.lua).
  2. No possibility to redirect to desired page after redirecting to logout endpoint of OIDC provider (it's implemented in lua-resty-openidc https://github.com/zmartzone/lua-resty-openidc/blob/7d72f45117c1da472664ff9d10de573343d56d7b/lib/resty/openidc.lua#L1331). It's possible now with post_logout_redirect_uri setting.
  3. Don't know about other providers, but Okta requires id_token_hint to be present in logout request. It's possible with redirect_after_logout_with_id_token_hint setting.

It would be great if you can review changes in this PR #16

Stuck in the starting of kong 

Error: /usr/local/share/lua/5.1/kong/tools/utils.lua:708: error loading module 'kong.plugins.oidc.handler':
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: module 'kong.plugins.base_plugin' not found:No LuaRocks module found for kong.plugins.base_plugin

I installed the plugin via luarocks install oicd
also tried to follow this tutorial: https://dev.to/robincher/securing-your-site-via-oidc-powered-by-kong-and-keycloak-2ccc

in my kong.conf I am using plugins = bundled,oidc

How can I get this working? Is it a dependency issue?

Can this plugin be used with no `client_secret`?

Hello there,

One of the things that I noticed while configuring this plugin is the config.client_secret parameter being required.
Is there a way to make it optional to use the plugin with public clients (like a SPA) where you can't store the client_secret securely?
Perhaps is something that I'm missing or not fully understanding.

Thanks in advance!

bearer_jwt_auth_enable: Access token not passed upstream

Hi there! Thanks for maintaining this plugin, it helps a lot!

When the option bearer_jwt_auth_enable is used the verified access token is not passed upstream. Is this by design?

Our use case is using a token with multiple API gateways potentially being chained where the token typically is passed as Authorization header. When using the bearer_jwt_auth_enable option the token does not reach the upstream server.

See

kong-oidc/kong/plugins/oidc/handler.lua

Lines 36 to 43 in d0d7a2b

if response then
utils.setCredentials(response)
utils.injectGroups(response, oidcConfig.groups_claim)
utils.injectHeaders(oidcConfig.header_names, oidcConfig.header_claims, { response })
if not oidcConfig.disable_userinfo_header then
utils.injectUser(response, oidcConfig.userinfo_header_name)
end
return

And the other location when the oidc cycle is being done where the access token is set

kong-oidc/kong/plugins/oidc/handler.lua

Line 78 in d0d7a2b

utils.injectAccessToken(response.access_token, oidcConfig.access_token_header_name, oidcConfig.access_token_as_bearer)

Thanks!

Chain 2 kong-oidc

Hello,

We are looking to use this plugin to handle our auth but we would need to chain 2 instances of it in an "or" manner.
From what I understand, the partial chaining with config.skip_already_auth_requests only works with official plugins because they have a higher priority.

Is there any way to use this plugin that way without having to implement the full config.anomyous approach?
Sorry if I missed something in the documentation or in the code...

request to the redirect_uri path but there's no session state found

Hi,

I'm using latest Kong gateway with this plugin. I've created the service, route and plugin (I've also added the additional service and route to check if the connection without oidc plugin is working).

My hostnames are:

http://kong-gateway/ (gateway)
http://kong-admin/ (as an admin api)
http://example-service/
http://kong-gateway/example-service redirects to example service without OIDC and
http://kong-gateway/example-oidc redirects to example service with OIDC

REDIRECT URI for oidc plugin is **http://kong-gateway/example-oidc

# SERVICES
# add service with OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-oidc"' \
--form 'url="http://example-service:8080"

# add service without OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-service"' \
--form 'url="http://example-service:8080"'

# ROUTES
# add route for service with OIDC
curl --location 'http://kong-admin:8001/services/example-oidc/routes' \
--form 'paths[]="/example-oidc"' \
--form 'name="example-oidc-route"'

# add route for service without OIDC
curl --location 'http://kong-admin:8001/services/example-service/routes' \
--form 'paths[]="/example-service"' \
--form 'name="example-service-route"'

# PLUGIN
curl --location 'http://kong-admin:8001/services/example-oidc/plugins' \
--form 'name="oidc"' \
--form 'config.client_id="CLIENT_ID"' \
--form 'config.client_secret="CLIENT_SECRET"' \
--form 'config.discovery="https://OPENID-SERVER/.well-known/openid-configuration"' \
--form 'config.redirect_uri="http://kong-gateway/"'

After successful redirect, I am getting:

request to the redirect_uri path but there's no session state found.

What am I missing here?

how to authenticate without redirecting to login screen?

I set up an environment with keycloak, kong and a microservice.

I'm using Insomnia to test the endpoints, I've already configured OAuth2 and generated an Access Token and Refresh Token. I would like Kong instead of redirecting me to the Keycloak login screen, already using the Access Token to authorize.

How can I do this?

image

Raw OIDC Plugin

{
  "route": null,
  "name": "oidc",
  "consumer": null,
  "service": {
    "id": "31a0235e-0291-4958-b827-e72566e69f27"
  },
  "tags": null,
  "id": "57240b4d-2ccb-4c28-96c1-61bfda81247f",
  "enabled": true,
  "config": {
    "skip_already_auth_requests": "no",
    "timeout": null,
    "discovery": "http://service-keycloak:8080/realms/develop/.well-known/openid-configuration",
    "bearer_jwt_auth_enable": "yes",
    "groups_claim": "groups",
    "header_names": [],
    "header_claims": [],
    "disable_userinfo_header": "no",
    "filters": null,
    "introspection_endpoint": null,
    "disable_access_token_header": "no",
    "access_token_header_name": "X-Access-Token",
    "access_token_as_bearer": "yes",
    "disable_id_token_header": "no",
    "introspection_cache_ignore": "no",
    "id_token_header_name": "X-ID-Token",
    "scope": "openid",
    "unauth_action": "auth",
    "ignore_auth_filters": null,
    "logout_path": "/logout",
    "revoke_tokens_on_logout": "no",
    "redirect_after_logout_uri": "/",
    "bearer_only": "yes",
    "post_logout_redirect_uri": null,
    "ssl_verify": "no",
    "realm": "kong",
    "validate_scope": "no",
    "redirect_uri": null,
    "redirect_after_logout_with_id_token_hint": "no",
    "session_secret": null,
    "introspection_endpoint_auth_method": null,
    "client_id": "administracao",
    "bearer_jwt_auth_signing_algs": [
      "RS256"
    ],
    "token_endpoint_auth_method": "client_secret_post",
    "bearer_jwt_auth_allowed_auds": null,
    "response_type": "code",
    "use_jwks": "no",
    "client_secret": "MZmTbQrVvOKZbE7eS2B1VnhsomekWuyZ",
    "userinfo_header_name": "X-USERINFO",
    "recovery_page_path": null
  },
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "created_at": 1666014812
}

OIDC Kong / Keycloak

I am trying to use your plugin to connect keycloak 19.0.2 with kong 3.0.0, but the introspection step seems not to be working properly as Kong always returns when I try to access to an API:
{
"message": "Unauthorized"
}

When I execute the request for introspection manually from Postman, it works perfectly using basic authentication (client_id and client_secret as user and password in the header, and the token in the body), so my assumption is that Keycloak expects this structure of request.

With this purpose, I have configured the OIDC plugin (using Konga by the way) defining the value of the field "token endpoint auth method" as "client_secret_basic".

After doing this, when I try to access the API, in the logs I can see the message:

2022/10/18 07:47:48 [debug] 1378#0: *190 [lua] openidc.lua:515: call_token_endpoint(): request body for introspection endpoint call: client_secret=(my client secret)&token=(my token)&client_id=(my client id)

Apparently, client_secret_basic is behaving as client_secret_post including the client_id and client_secret in the body instead of sending this info in the header as Keycloak expects.

Am I doing something wrong?
Thanks in advance for your support.

Scope Validation is not working. Is a feature or dead code?

From what I see here in handler.lua, it's possible to pass multiple scopes to the plugin configuration and asks it to validate if the returned token has these scopes, is that correct?

https://github.com/revomatico/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L126

But it seems that this code only supports 1 scope, not multiple scopes.

I was wondering if this is a hidden feature, or is just some dead code that was left behind. I would be interested in submiting a PR if that's welcome.

no X-Userinfo and X-Access-Token

i only get session cookie in my app i dont get x-userinfo and x-access-token
and that the oicd config

{
	"next": null,
	"data": [
		{
			"id": "ebff355a-ecdc-41b3-a240-d42f08a3b6c2",
			"protocols": [
				"grpc",
				"grpcs",
				"http",
				"https"
			],
			"enabled": true,
			"config": {
				"groups_claim": "groups",
				"header_names": [],
				"header_claims": [],
				"disable_userinfo_header": "no",
				"userinfo_header_name": "X-USERINFO",
				"ssl_verify": "no",
				"revoke_tokens_on_logout": "no",
				"disable_access_token_header": "no",
				"access_token_as_bearer": "no",
				"disable_id_token_header": "no",
				"id_token_header_name": "X-ID-Token",
				"unauth_action": "auth",
				"recovery_page_path": null,
				"bearer_only": "no",
				"use_jwks": "no",
				"client_secret": "dbBPlZ2gm2oVIaZ8Gtijr9RcMY9xrDo4",
				"introspection_endpoint_auth_method": null,
				"introspection_cache_ignore": "no",
				"redirect_uri": null,
				"response_type": "code",
				"scope": "openid",
				"ignore_auth_filters": "",
				"logout_path": "/logout",
				"redirect_after_logout_uri": "https://host:8180/auth/realms/kong/protocol/openid-connect/logout?redirect_uri=https://146.59.240.225",
				"discovery": "http://host:8180/realms/kong/.well-known/openid-configuration",
				"bearer_jwt_auth_allowed_auds": null,
				"timeout": null,
				"client_id": "kong-oicd",
				"session_secret": null,
				"skip_already_auth_requests": "no",
				"bearer_jwt_auth_signing_algs": [
					"RS256"
				],
				"access_token_header_name": "X-Access-Token",
				"token_endpoint_auth_method": "client_secret_post",
				"bearer_jwt_auth_enable": "no",
				"realm": "kong",
				"filters": null,
				"introspection_endpoint": "http://host:8180/auth/realms/kong/protocol/openid-connect/token/introspect"
			},
			"tags": null,
			"created_at": 1666421915,
			"route": null,
			"consumer": null,
			"name": "oidc",
			"service": null
		}
	]
}

and my goal is to get the current logged in user in my backend for some required logic dose this mean when i send request from my app to my api the x-userinfo and X-Access-Token will be available in the request header ?

using keycloack 19.0.3

OIDC plugin with PKCE code_challenge config?

Hello,

Does OIDC plugin support adding random string a code challange in authorize call for IDP that support clients for authorization flow with PKCE?

We are using a confidential client with client id and client secret for OIDC plugin; however the client for react app is public client that uses PKCE. We observed that kong-oidc during 302 redirection creates a location that UI needs to invoke; however, since the code_challenge is missing from /authorize call, the IDP will fail the request with 400 bad request

frontchannel logout with firefox not working

Hello,

It seems frontchannel logout with firefox doesn't remove all session info.

After the first logout from the web app, every login attempt end up with a kong error page.
If I remove all cookies or use a private window then login works fine.
The keycloak session is removed
There is no issue with chrome/chromium.
I tried different version of firefox.
I compared cookies handling between firefox and chrome. I didn't notice any difference.

There is an error in kong log:
state from argument: .... does not match state restored from session
I tried hard-coding the session_secret (as advised in some lua-resty-openidc issue) but it didn't fix anything.

Did someone manage to have oidc working with firefox ?

(partial) deck yaml config: 

- hosts:
    - {{myhost}}
    name: myroute
    paths:
    - /
    - /logout
    plugins:
    - config:
        access_token_as_bearer: 'yes'
        access_token_header_name: Authorization
        bearer_only: 'no'
        client_id: myclientid
        client_secret: xxxxxxxxxx
        session_secret: xxxxxxxxxxx
        discovery: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
        introspection_endpoint: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect
        introspection_endpoint_auth_method: client_secret_post
        ssl_verify: 'no'
        realm: MY-APP
        logout_path: /logout
        revoke_tokens_on_logout: 'yes'
        redirect_after_logout_uri: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout?post_logout_redirect_uri=https://{{myhost}}
        redirect_after_logout_with_id_token_hint: 'yes'
        response_type: code token
      name: oidc
    protocols:
    - https
    strip_path: false

keycloak client config: 

{
  "clientId": "myclient",
  "name": "",
  "description": "Client used by kong plugins oidc",
  "rootUrl": "",
  "adminUrl": "",
  "baseUrl": "https://{{myhost}}",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "xxxxxxxxxxxxxxxxx",
  "redirectUris": [
    "",
    "https://{{myauthhost}}/",
    "https://{{myauthhost}}",
    "https://{{myauthhost}}/*",
    "https://{{myhost}}",
    "https://{{myhost}}/",
    "https://{{myhost}}/*"
  ],
  "webOrigins": [
    "",
    "+"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": true,
  "authorizationServicesEnabled": true,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "openid-connect",
  "attributes": {
    "login_theme": "my-app",
    "frontchannel.logout.url": "https://{{myhost}}/logout",
    "post.logout.redirect.uris": "+",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false",
    "use.refresh.tokens": "false",
    "exclude.session.state.from.auth.response": "false",
    "tls-client-certificate-bound-access-tokens": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "false",
    "client_credentials.use_refresh_token": "false",
    "acr.loa.map": "{}",
    "require.pushed.authorization.requests": "false",
    "display.on.consent.screen": "false",
    "token.response.type.bearer.lower-case": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "name": "Client IP Address",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientAddress",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientAddress",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client Host",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientHost",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientHost",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client ID",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientId",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientId",
        "jsonType.label": "String"
      }
    }
  ],
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "roles",
    "profile",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

kong log for first logout with firefox 

2023/01/23 16:22:49 [debug] 515215#0: *13338495 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515215#0: *13338639 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:632: start(): session is already started
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb-cc-dd-ee&client_id=client_id&token_type_hint=access_token&client_secret=myclientsecret
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response: 
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:59 [debug] 515215#0: *13338783 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787

kong log for logout with chromium 

2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:611: open(): cookie found
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:632: start(): session is already started
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb&token_type_hint=access_token&client_id={{myclient}}&client_secret={{my_client_secret}}
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response: 
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:640: start(): session not present
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:646: start(): session created
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:03:48 [debug] 515220#0: *13305529 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787

kong_log_chromium_second_login.txt
kong_log_firefox_second_login.txt

Problem in parsing claim having type of table

Hi, There seems to be some problem with following piece of code in utils.lua script line 180

for i = 1, #header_names do
local header, claim
header = header_names[i]
claim = header_claims[i]
kong.service.request.clear_header(header)
for j = 1, #sources do
local source
source = sources[j]
if (source and source[claim]) then
kong.service.request.set_header(header, source[claim])
break
end
end
end

This piece of code will break if the claim has value type as table and because it will expect values to be either string or some other type and for this I think it need error handling

How to install kong-oidc in kong 3.xx

How can I install kong-oidc in kong 3.x.x
this is my error
stack traceback: [C]: in function 'error' /usr/local/share/lua/5.1/kong/tools/utils.lua:701: in function 'load_module_if_exists' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin' /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas' /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init' init_by_lua:3: in main chunk

Update docker image

According to Kong/kong@0291c3c constant CREDENTIAL_USERNAME was removed.

That causes error while using revomatico/docker-kong-oidc:latest docker image

2022/09/29 11:48:25 [error] 1370#0: *593 [kong] init.lua:290 [oidc] /usr/local/share/lua/5.1/kong/plugins/oidc/utils.lua:122: header must be a string, client: 172.18.0.1, server: kong, request: "POST /data HTTP/1.1", host: "127.0.0.1:5100"

Repo was updated 431df6b
But published version is 1.3.0-2, not 1.3.0-3

Websocket introspect support

Websocket protocol does not allow to add headers like Authorization. Can we support checking for access_token even in query params? Something on below lines:

function M.has_bearer_access_token()
  local header = ngx.req.get_headers()['Authorization']
  if header and header:find(" ") then
    local divider = header:find(' ')
    if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then
      return true
    end
  end
  local args = ngx.req.get_uri_args()
  for key, val in pairs(args) do
    if key == "access_token" then
      local token = formatAsBearerToken(val)
      ngx.req.set_header('Authorization', token) // "resty.openidc".introspect - also does not allow query param usage
      return true
    end
  end
  return false
end

"unable to get local issuer certificate" with valid public cert on remote server and "ssl_verify" set to false

I get this error even though "ssl_verify" is false and the remote server certificate is a valid CA endorsed cert.

2023/04/21 18:53:22 [error] 1116#0: *69200 [lua] openidc.lua:573: openidc_discover(): accessing 
discovery url (https://my-server/my-service/.well-known/openid-configuration) failed: 20: 
unable to get local issuer certificate, client: 1.2.3.4, server: kong, request: 
"GET /my-other-service HTTP/1.1", host: "my-other-server"

My oidc plugin config as yaml is below. I convert it to json before creating/updating the plugin.

# required
client_id: '<redacted>'
client_secret: '<redacted>'
discovery: https://my-server/my-service/.well-known/openid-configuration

# optional 
ssl_verify: "false"
timeout: 10000
introspection_endpoint_auth_method: client_secret_post
bearer_jwt_auth_enable: "yes"
bearer_jwt_auth_allowed_auds:
  - aud
header_names:
  - permissions
header_claims:
  - claims

I can curl to https://my-server/my-service/.well-known/openid-configuration from my Kong Kubernetes pod without needing the --insecure flag, and curl returns the discovery json.

I'm not sure why the oidc plugin is complaining about certificates.

Any ideas?

Using the plugin behind Corporate Proxy

Hi,

I've been using the plugin on my test set-up without any issues. When trying to use it behind corporate proxy, the discovery url cannot be accessed and times out.

The proxy is set through env no_proxy, http_proxy and https_proxy. Sadly, it looks like the plugin does not use them and tries to access the discovery url directly.

Is there a way to pass these params to the plugin used (lua-resty-openidc - https://github.com/zmartzone/lua-resty-openidc)

             -- proxy_opts = {
             --    http_proxy  = "http://<proxy_host>:<proxy_port>/",
             --    https_proxy = "http://<proxy_host>:<proxy_port>/"
             -- }

This has been an open PR for the official kong-oidc by Nokia (https://github.com/nokia/kong-oidc/pull/85/files), however, revomatico is not nokia :)

If this use-case currently isnt possible, please let me know if I can support implementing it.

X-Forward-Proto is always http

Hello everyone!

I recently enable a service behind kong-oidc that is dependent on a X-Forwarded-Proto Header, but it misbehaved since it was always receiving X-Forwarded-Proto set to HTTP even though the client was using HTTPS to communicate with the Kong gateway

To overwrite the header I used a Kong Post-Function plugin. That made it work.

Do you think this is a bug?

Connection refused when accessing discovery url

I am running revomatico/docker-kong-oidc:3.2.2-3 with keycloak using docker-compose.

I am getting this error:
openidc.lua:573: openidc_discover(): accessing discovery url (http://keycloak:8080/auth/realms/master/.well-known/openid-configuration) failed: connection refused

Have tried to curl the discovery url from kong shell and managed to get the response from keycloak. Can I check why lua is still throwing this error?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.