Keycloak Openid Connect with kong-oidc plugin

Hi
I’m having problems configuring authentication with keykloack
I’ve made setup that works with okta but when I switch to keycloak it fails
I’ve compared logs and in the case of succsefull authentication with okta there are some extra steps that happen after Authorization code flow finishes and redirects to original uri

from the keycloak log it looks like the acces handler of oidc plugin doesnt get executed, what would be the reason for this?

Okta conf

{
    "data": [
        {
            "config": {
                "bearer_only": "no",
                "client_id": "xxxxxxxxx",
                "client_secret": "xxxxxxxxxxxxxxxxxx",
                "discovery": "https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration",
                "logout_path": "/logout",
                "realm": "kong",
                "redirect_after_logout_uri": "/",
                "response_type": "code",
                "scope": "openid",
                "session_secret": "0oaez9z9tu95rEI5d356",
                "ssl_verify": "no",
                "token_endpoint_auth_method": "client_secret_post"
            },
            "created_at": 1558042384000,
            "enabled": true,
            "id": "f709d1cc-2f51-4c5a-adf1-5137a1bda70a",
            "name": "oidc",
            "route_id": "84dd2622-db06-428a-a100-7e5d48638122"
        }
    ],
    "total": 1
}

Keycloak configuration

{
    "data": [
        {
            "config": {
                "bearer_only": "no",
                "client_id": "console",
                "client_secret": "bf16df7a-c44e-4c5b-86d3-410b357fcf7e",
                "discovery": "https://auth.server.tk/auth/realms/kapua/.well-known/openid-configuration",
                "logout_path": "/logout",
                "realm": "kapua",
                "redirect_after_logout_uri": "/",
                "response_type": "code",
                "scope": "openid",
                "session_secret": "zA7_VEz2SWQ5VwPYuqrgRjIupKkAeYqxL3QYZfbE",
                "ssl_verify": "no",
                "token_endpoint_auth_method": "client_secret_post"
            },
            "created_at": 1558040826000,
            "enabled": true,
            "id": "4d46f4ad-039d-4200-a495-1ef22e5a9f57",
            "name": "oidc",
            "route_id": "84dd2622-db06-428a-a100-7e5d48638122"
        }
    ],
    "total": 1
}

Kong log okta

2019/05/17 14:29:10 [debug] 31#0: *539 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:10 [debug] 31#0: *539 [lua] http.lua:633: send_request(): 
GET /oauth2/default/v1/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJraWQiOiI0SmJJZ3prMHRpbnZYakIyYWhHYjZqei16MUlnZ2NiN282VVl3VkxJMnlZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkRRZDA4aUJfc2EwRG5adHlYNU15N2lKejZwQWo0eDFuTlNYSmlTVm9pQzAiLCJpc3MiOiJodHRwczovL2Rldi04OTA2NDUub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTU4MTAzMzQ5LCJleHAiOjE1NTgxMDY5NDksImNpZCI6IjBvYWV6OXo5dHU5NXJFSTVkMzU2IiwidWlkIjoiMDB1ZHF3azc2dnpUSDhHZU4zNTYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6Im1pcmtvdEBtaXJrb3QuY29tIn0.RRm_ERwe-90p33D2sYdm-Jh7mvF3UpmKRonCh_o-ZP6RBe2knNap5sw-t8Az28rZR-V8FKvK6LiidAy27CNB32E1OMaOiNTmOupbZvC0Fr7yBhPDT6qHfBwuYxfpr08gqimVzTanb9xfv10B2Us4Ca5aw28tkzGRdOBeTTQktvqVELvNdv17FhUtpJ5tqHXvwuWRQ3htaUMHFn701_tcZIFmppgNq_3XS5AI_GGZHmDJOmsFO_NKedxA-KImZ2RDZ5y_Vw0i88k8sin87OybPqcCbL_MdDbAROup2KEvpf8rDgLtjDrLz1zj-8mqhTJEodYKbvwFtxOuiXu4jTSitw
Host: dev-890645.okta.com


2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"00udqwk76vzTH8GeN356","user.fullName":"mirko mirko","user.email":"mirkot@mirkot.com"}
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] handler.lua:46: make_oidc(): OidcHandler calling authenticate, requested path: /api/management/v1/useradm/auth/ssologin
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:467: openidc_discover(): openidc_discover: URL is: https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:473: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] http.lua:633: send_request(): 
GET /oauth2/default/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: dev-890645.okta.com


2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:485: openidc_discover(): response data: {"issuer":"https://dev-890645.okta.com/oauth2/default","authorization_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/authorize","token_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/token","userinfo_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/userinfo","registration_endpoint":"https://dev-890645.okta.com/oauth2/v1/clients","jwks_uri":"https://dev-890645.okta.com/oauth2/default/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","profile","email","address","phone","offline_access"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => client_secret_basic
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1203: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"mirko mirko","iat":1558103349,"iss":"https:\/\/dev-890645.okta.com\/oauth2\/default","aud":"0oaez9z9tu95rEI5d356","idp":"00odqmy78hrj72VvL356","amr":["pwd"],"user.email":"mirkot@mirkot.com","exp":1558106949,"sub":"00udqwk76vzTH8GeN356","jti":"ID.xeeZplWT0xBO8E5W6QEiIb0e-FMb0lMXj7oeNg326U8","auth_time":1558103346,"nonce":"0e25d502f0d4ff42e9ba96af807e68a1","at_hash":"O_APuNM4_LQzOsPyJHizfQ"}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] handler.lua:25: OidcHandler done
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] init.lua:411: balancer(): setting address (try 1): 10.126.22.36:8080
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:14 [debug] 30#0: *618 [lua] cluster_events.lua:222: [cluster_events] polling events f

Kong keycloak log

2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:425: openidc_call_userinfo_endpoint(): authorization header 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA'
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] http.lua:633: send_request(): 
GET /auth/realms/kapua/protocol/openid-connect/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA
Host: auth.server.tk:9080


2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"ebc1496d-5fa6-4198-99df-30c729634e8c","namexxxxxxxxxxxxxxxxxxxxxxxxx}
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:22:56 [debug] 26#0: *1629 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102976.755
2019/05/17 14:23:01 [debug] 31#0: *1678 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102981.756
2019/05/17 14:23:06 [debug] 33#0: *1724 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102986.756

this is resolved with nginx configuration increasing buffer size , nginx that is in front of the kong server

problem was with

019/05/20 08:24:47 [debug] 2719#2719: *23 http proxy header: "Connection: close"
2019/05/20 08:24:47 [error] 2719#2719: *23 upstream sent too big header while reading response header from upstream, client: 127.0.0.1, server: ui.mender.com, request: "GET /api/management/v1/useradm/auth/ssologin/?state=35cba490b014c7e3a7e47f018c7d7cea&session_state=eff639c5-e8ba-40bc-8233-586c75c9d86e&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ant4aB9f8lCzE3_Eep6xkg.q6DftLsfXY8ISWLUVKNAMkWW-EWn4d6bWQHblsohLxJPtumRGW0hqaw-wP5lU0ztAJo1rBJXSipF2h3ViaE-UEBEnk0ubxm0jmdduB8lOVCHnHy-gPT0o1UHU-znDRcCnVwBWDhc-I2rk0Oo0_ZWmJi405bqq-XC_EEWqhj6OmRENODFVQwo19GHMO7DKoSXZbsW9EY88dB3kAxtGNC6DBZM54GLLgjijQ_vhndN-Hgrci71ORfImodQp1LWZrRB.ni0y9i0nh8IeUaHECf9KUA HTTP/1.1", upstream: "http://127.0.0.1:8000/api/management/v1/useradm/auth/ssologin/?state=35cba490b014c7e3a7e47f018c7d7cea&session_state=eff639c5-e8ba-40bc-8233-586c75c9d86e&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ant4aB9f8lCzE3_Eep6xkg.q6DftLsfXY8ISWLUVKNAMkWW-EWn4d6bWQHblsohLxJPtumRGW0hqaw-wP5lU0ztAJo1rBJXSipF2h3ViaE-UEBEnk0ubxm0jmdduB8lOVCHnHy-gPT0o1UHU-znDRcCnVwBWDhc-I2rk0Oo0_ZWmJi405bqq-XC_EEWqhj6OmRENODFVQwo19GHMO7DKoSXZbsW9EY88dB3kAxtGNC6DBZM54GLLgjijQ_vhndN-Hgrci71ORfImodQp1LWZrRB.ni0y9i0nh8IeUaHECf9KUA", host: "ui.mender.com", referrer: "http://auth.solidsense.tk:9080/auth/realms/kapua/protocol/openid-connect/auth?response_type=code&client_id=console&state=35cba490b014c7e3a7e47f018c7d7cea&redirect_uri=http%3A%2F%2Fui.mender.com%2Fapi%2Fmanagement%2Fv1%2Fuseradm%2Fauth%2Fssologin%2F&nonce=2dbc200bd280f1944526779970c930d4&scope=openid"
2019/05/20 08:24:47 [debug] 2719#2719: *23 http next upstream, 8

resolved with

        location / {
             proxy_set_header Host $host;
             proxy_set_header                X-Real-IP       $remote_addr;
             proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header                X-Forwarded-Proto $scheme;
             add_header Access-Control-Allow-Origin '*';
             add_header Access-Control-Allow-Methods '*';
             add_header Access-Control-Allow-Headers '*';
             proxy_set_header   Cookie $http_cookie; 
             proxy_pass http://localhost:8000;

             proxy_buffer_size          128k; 
             proxy_buffers              4 256k; 
             proxy_busy_buffers_size    256k; 
       }

1 Like