gerco
February 1, 2022, 4:46pm
1
I’m trying to set up Kong Manager (2.5.x) with Ping OIDC. I got to the point where the Manager UI redirects to Ping to log in, but it immediately gives me an error like this once I log in to Ping:
https://kong-admin.mydomain.com/auth?code=xxx&state=yyy
{"message":"Invalid credentials. Token or User credentials required"}
My admin_gui_auth_conf_secret
looks like this:
{
"issuer": "https://auth.pingone.com/zzz/as/.well-known/openid-configuration",
"consumer_by": [ "username", "id", "custom_id" ],
"consumer_claim": [ "username" ],
"client_id": ["client id"],
"client_secret": ["client secret"],
"authenticated_groups_claim": ["group"],
"ssl_verify": false,
"leeway": 60,
"logout_methods": ["GET", "DELETE"],
"logout_query_arg": "logout",
"redirect_uri": [ "https://kong-admin.mydomain.com/auth" ],
"login_redirect_uri": [ "https://kong-admin.mydomain.com" ],
"scopes": ["openid", "profile", "email"],
"auth_methods": ["authorization_code"]
}
The domain name for Kong Manager is kong-manager.mydomain.com
and the Admin API is at kong-admin.mydomain.com
, both are being served from the default https port (443).
Any ideas on what’s wrong with my configuration?
1 Like
Hi @gerco - Did you ever solve this to use the OIDC plugin with Kong Manager? We also have kong admin api and manager on different hostnames
gerco
May 12, 2023, 1:21pm
3
I can’t quite remember what we did to solve the issue, but this is the admin_gui_auth_config that ended up working for us.
{
"issuer": "https://auth.pingone.com/xxx/as",
"admin_claim": "email",
"consumer_claim": [ "email" ],
"consumer_by": [ "id", "username", "custom_id" ],
"client_id": ["client id"],
"client_secret": ["client secret"],
"authenticated_groups_claim": ["kongRoles"],
"ssl_verify": false,
"leeway": 60,
"logout_methods": ["GET", "DELETE"],
"logout_query_arg": "logout",
"redirect_uri": [ "https://kong-manager.ourdomain.com/" ],
"scopes": ["openid", "profile", "email"],
"auth_methods": ["authorization_code"]
}
In Ping, we created a separate attribute kongRoles
that contains the role names each user should have. I think it’s set by Ping group memberships but I don’t know for sure how that part works.
1 Like
Thank you @gerco that helped us a ton! We ended up with a config like this:
{
"issuer": "https://***.***.com",
"admin_claim": "email",
"client_id": [
"***"
],
"client_secret": [
"***"
],
"consumer_optional": true,
"by_username_ignore_case": true,
"authenticated_groups_claim": [
"roles"
],
"scopes": [
"openid",
"profile",
"email"
],
"ssl_verify": true,
"leeway": 90,
"redirect_uri": [
"https://research-api-manager.*.com/"
],
"logout_query_arg": "logout",
"logout_methods": ["GET", "DELETE"],
"auth_methods": [
"authorization_code"
]
}