Kong bypassing kong-oidc plugin

Questions
1

Hello!

First of all: This might be a duplicate of Nokia/kong-oidc and Auth0 on Kubernetes help
Unfortunately it looks like this has never been resolved, so let’s try it again!

What I want to do:
Use kong as an API gateway for some services I’m running on kubernetes. Further I want to use the kong-oidc plugin to protect those services, backed by keycloak as an IDP. Before I started I tested the concept by setting everything up with docker-compose and it worked.

The Problem:
Now I started introducing kong on my kubernetes cluster. The basic routing works fine, but kong ignores the kong-oidc plugin, so everything is unprotected.
Let me elaborate how I set things up.

Reproduction/Setup:
The kong-oidc plugin is not in the list of bundled images. That’s why I created my own Dockerfile including the plugin based on kong:1.4.0-alpine :

FROM kong:1.4.0-alpine
LABEL description="Alpine + Kong 1.4.0 + kong-oidc plugin"
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc

Then I used this deployment yaml (from the official minikube-guide).
Because I have my own kong-image I replaced image: kong:1.3 with image: corphub/kong-oidc:1.4.0-centos in the ingress-kong deployment. Note that I used this opportunity to go from kong-1.3 to kong-1.4.

After that I set up an Ingress for kong and the configuration for the kong-oidc plugin:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-kong
  annotations:
    plugins.konghq.com: kong-oidc
spec:
  rules:
  - http:
      paths:
      - path: /graphql
        backend:
          serviceName: corphub-graphql-service
          servicePort: 8082
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: kong-oidc
  labels:
    global: "true"
config:
  client_id: kong
  client_secret: XXX
  discovery: http://keycloak:8180/auth/realms/master/.well-known/openid-configuration
plugin: kong-oidc

I also added the env variable KONG_CUSTOM_PLUGINS=kong-oidc to the earlier mentioned ingress-kong deplyoment because I read that somewhere, but I’m not sure if that is needed.

Now I would expect that every request going through kong would be validated by leveraging the kong-oidc plugin and keycloak. But that’s just not happening. All the requests just go through as if the plugin is not there at all. I also can’t find any logs which could point me in any direction.

I would love this setup to work, because I find it very elegant and robust. I hope I provided enough information, if not please ask.
Thanks in advance,
Peter

2

Hello!

The right env variable should be KONG_PLUGINS instead of KONG_CUSTOM_PLUGINS in 1.4.

Could you get the plugin available and enabled from API admin? You should see “Oidc” in the list.

curl http://localhost:8444/ with port forwarding to Kong pod.

On the other hand the plugin name is “oidc”, no “kong-oidc”

1 Like
3

That helped, thanks alot!
I changed the env variable to
KONG_PLUGINS=oidc
like you suggested and also changed the plugin name in the ingress and the plugin configuration.
This is how it looks like now:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-kong
  annotations:
    plugins.konghq.com: oidc
spec:
  rules:
  - http:
      paths:
      - path: /graphql
        backend:
          serviceName: corphub-graphql-service
          servicePort: 8082
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: kong-oidc
  labels:
    global: "true"
config:
  client_id: kong
  client_secret: XXX
  discovery: http://keycloak:8180/auth/realms/master/.well-known/openid-configuration
plugin: oidc

Thanks again, this can be closed then…

4

hey, to enabled this custom plugin you should set: KONG_PLUGINS=bundled,oidc

to check if kong notice the new plugin just open the / routes of kong-admin you should see oidc in the list of installed plugin