Hi
I’m having problems configuring authentication with keykloack
I’ve made setup that works with okta but when I switch to keycloak it fails
I’ve compared logs and in the case of succsefull authentication with okta there are some extra steps that happen after Authorization code flow finishes and redirects to original uri
from the keycloak log it looks like the acces handler of oidc plugin doesnt get executed, what would be the reason for this?
Okta conf
{
"data": [
{
"config": {
"bearer_only": "no",
"client_id": "xxxxxxxxx",
"client_secret": "xxxxxxxxxxxxxxxxxx",
"discovery": "https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration",
"logout_path": "/logout",
"realm": "kong",
"redirect_after_logout_uri": "/",
"response_type": "code",
"scope": "openid",
"session_secret": "0oaez9z9tu95rEI5d356",
"ssl_verify": "no",
"token_endpoint_auth_method": "client_secret_post"
},
"created_at": 1558042384000,
"enabled": true,
"id": "f709d1cc-2f51-4c5a-adf1-5137a1bda70a",
"name": "oidc",
"route_id": "84dd2622-db06-428a-a100-7e5d48638122"
}
],
"total": 1
}
Keycloak configuration
{
"data": [
{
"config": {
"bearer_only": "no",
"client_id": "console",
"client_secret": "bf16df7a-c44e-4c5b-86d3-410b357fcf7e",
"discovery": "https://auth.server.tk/auth/realms/kapua/.well-known/openid-configuration",
"logout_path": "/logout",
"realm": "kapua",
"redirect_after_logout_uri": "/",
"response_type": "code",
"scope": "openid",
"session_secret": "zA7_VEz2SWQ5VwPYuqrgRjIupKkAeYqxL3QYZfbE",
"ssl_verify": "no",
"token_endpoint_auth_method": "client_secret_post"
},
"created_at": 1558040826000,
"enabled": true,
"id": "4d46f4ad-039d-4200-a495-1ef22e5a9f57",
"name": "oidc",
"route_id": "84dd2622-db06-428a-a100-7e5d48638122"
}
],
"total": 1
}
Kong log okta
2019/05/17 14:29:10 [debug] 31#0: *539 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:10 [debug] 31#0: *539 [lua] http.lua:633: send_request():
GET /oauth2/default/v1/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJraWQiOiI0SmJJZ3prMHRpbnZYakIyYWhHYjZqei16MUlnZ2NiN282VVl3VkxJMnlZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkRRZDA4aUJfc2EwRG5adHlYNU15N2lKejZwQWo0eDFuTlNYSmlTVm9pQzAiLCJpc3MiOiJodHRwczovL2Rldi04OTA2NDUub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTU4MTAzMzQ5LCJleHAiOjE1NTgxMDY5NDksImNpZCI6IjBvYWV6OXo5dHU5NXJFSTVkMzU2IiwidWlkIjoiMDB1ZHF3azc2dnpUSDhHZU4zNTYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6Im1pcmtvdEBtaXJrb3QuY29tIn0.RRm_ERwe-90p33D2sYdm-Jh7mvF3UpmKRonCh_o-ZP6RBe2knNap5sw-t8Az28rZR-V8FKvK6LiidAy27CNB32E1OMaOiNTmOupbZvC0Fr7yBhPDT6qHfBwuYxfpr08gqimVzTanb9xfv10B2Us4Ca5aw28tkzGRdOBeTTQktvqVELvNdv17FhUtpJ5tqHXvwuWRQ3htaUMHFn701_tcZIFmppgNq_3XS5AI_GGZHmDJOmsFO_NKedxA-KImZ2RDZ5y_Vw0i88k8sin87OybPqcCbL_MdDbAROup2KEvpf8rDgLtjDrLz1zj-8mqhTJEodYKbvwFtxOuiXu4jTSitw
Host: dev-890645.okta.com
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"00udqwk76vzTH8GeN356","user.fullName":"mirko mirko","user.email":"mirkot@mirkot.com"}
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:11 [debug] 31#0: *539 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] handler.lua:46: make_oidc(): OidcHandler calling authenticate, requested path: /api/management/v1/useradm/auth/ssologin
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:467: openidc_discover(): openidc_discover: URL is: https://dev-890645.okta.com/oauth2/default/.well-known/openid-configuration
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:473: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2019/05/17 14:29:11 [debug] 32#0: *583 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] http.lua:633: send_request():
GET /oauth2/default/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: dev-890645.okta.com
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:485: openidc_discover(): response data: {"issuer":"https://dev-890645.okta.com/oauth2/default","authorization_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/authorize","token_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/token","userinfo_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/userinfo","registration_endpoint":"https://dev-890645.okta.com/oauth2/v1/clients","jwks_uri":"https://dev-890645.okta.com/oauth2/default/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","profile","email","address","phone","offline_access"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-890645.okta.com/oauth2/default/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => client_secret_basic
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1203: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] openidc.lua:1244: authenticate(): id_token={"ver":1,"user.fullName":"mirko mirko","iat":1558103349,"iss":"https:\/\/dev-890645.okta.com\/oauth2\/default","aud":"0oaez9z9tu95rEI5d356","idp":"00odqmy78hrj72VvL356","amr":["pwd"],"user.email":"mirkot@mirkot.com","exp":1558106949,"sub":"00udqwk76vzTH8GeN356","jti":"ID.xeeZplWT0xBO8E5W6QEiIb0e-FMb0lMXj7oeNg326U8","auth_time":1558103346,"nonce":"0e25d502f0d4ff42e9ba96af807e68a1","at_hash":"O_APuNM4_LQzOsPyJHizfQ"}
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] handler.lua:25: OidcHandler done
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] init.lua:411: balancer(): setting address (try 1): 10.126.22.36:8080
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:29:12 [debug] 32#0: *583 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:29:14 [debug] 30#0: *618 [lua] cluster_events.lua:222: [cluster_events] polling events f
Kong keycloak log
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:425: openidc_call_userinfo_endpoint(): authorization header 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA'
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] http.lua:633: send_request():
GET /auth/realms/kapua/protocol/openid-connect/userinfo HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFWFRpeVBIWXRaRnV0N1JwOWJLZTl0R2ktSnFXMF9MR1hUR2ctZURDR2o0In0.eyJqdGkiOiIxYzZhYmMzNy00NmUwLTQyNzYtOWIwNC04Nzc3ZmI1ZjAwMzgiLCJleHAiOjE1NTgxMDMyNzUsIm5iZiI6MCwiaWF0IjoxNTU4MTAyOTc1LCJpc3MiOiJodHRwOi8vYXV0aC5zb2xpZHNlbnNlLnRrOjkwODAvYXV0aC9yZWFsbXMva2FwdWEiLCJhdWQiOiJjb25zb2xlIiwic3ViIjoiZWJjMTQ5NmQtNWZhNi00MTk4LTk5ZGYtMzBjNzI5NjM0ZThjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY29uc29sZSIsIm5vbmNlIjoiZTM1ZjUxMWYyMTQ5ODE0Y2ViNDI3MTI3Mjc5MjZiMjIiLCJhdXRoX3RpbWUiOjE1NTgxMDI5NzUsInNlc3Npb25fc3RhdGUiOiI1MWYxYTQyZi0xYTE2LTQ2YTgtYmFlMS01OGI0MjgwMjgxOTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9wb3J0YWwuc29saWRzZW5zZS50ayIsImh0dHA6Ly9rYXB1YS5zb2xpZHNlbnNlLnRrIiwiaHR0cDovL3VpLm1lbmRlci5jb20iLCJodHRwOi8vbWVuZGVyLnNvbGlkc2Vuc2UudGsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IkRyYXNrbyBEcmFza292aWMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkcmFza28iLCJnaXZlbl9uYW1lIjoiRHJhc2tvIiwiZmFtaWx5X25hbWUiOiJEcmFza292aWMiLCJlbWFpbCI6ImRyYXNrb0BtYWluZmx1eC5jb20ifQ.TpMzGDny3LwsKlAVVQx215JQY3TPA1QswEMTM4VuE2PX83tsvmynQcXYW9UV2OxZErBouWIxXaySIrysU3FbAFHDIETHmYniFEHzeHvaLcy6vK6wxQQXEuEmm5x-WUpojAU_69FX_YaKB2_wIzZm0CpdoN-yAUjUfz1fHpaW31Y65RLtZ6GwdffWSO4eh9_nh8PdzqvX1H4_l0AiUhJoAm0LA3yf5PZPKrwyuZmCfGxLolbEiJvZ1-OvjDFyKNLntZRQOrkOKoM5UNg2cz87rak-GTCfvsi1DHk2KFHnyVOhvlsMygYrn8OhW77DJRRKMpCiUf4iOXCD8SZcNQKEnA
Host: auth.server.tk:9080
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:439: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"ebc1496d-5fa6-4198-99df-30c729634e8c","namexxxxxxxxxxxxxxxxxxxxxxxxx}
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] openidc.lua:978: authenticate(): OIDC Authorization Code Flow completed -> Redirecting to original URL (/api/management/v1/useradm/auth/ssologin)
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2019/05/17 14:22:55 [debug] 32#0: *1612 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2019/05/17 14:22:56 [debug] 26#0: *1629 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102976.755
2019/05/17 14:23:01 [debug] 31#0: *1678 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102981.756
2019/05/17 14:23:06 [debug] 33#0: *1724 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1558102816.701 to: 1558102986.756