Kong openid connect authentication

This seems as basic question but I’ve failed to find answer

I want to use kong for single sign on
I’ve followed https://github.com/oktadeveloper/okta-kong-origin-example to configure kong against okta
and everything works fine for this example.
Based on that I wanted to “protect” access to login endpoint in my service expecting to get X-Userinfo header from the request

I have several services running iside the docker and one service is users service which does the authentication among other stuff.
I’ve made following configuration.
I’ve added kong docker container into the same network as all other services and I’ve added configuration into nginx.conf ( nginx is also container built from openresty/openresty:1.13.6.2-0-alpine)

 location = /api/v1/useradm/auth/ssologin{
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Cookie $http_cookie;
        proxy_pass http://okta-kong-oidc:8000;
    }

kong configuration

{
    "created_at": 1557132426511,
    "http_if_terminated": false,
    "https_only": false,
    "id": "b3569d9b-4947-4938-9208-d02fd5819443",
    "name": "okta-test",
    "preserve_host": true,
    "retries": 5,
    "strip_uri": true,
    "upstream_connect_timeout": 60000,
    "upstream_read_timeout": 60000,
    "upstream_send_timeout": 60000,
    "upstream_url": "http://user-service:8080",
    "uris": [
        "/"
    ]
}

this is oidc plugin configured

    {"total":1,"data":[{"created_at":1557132674825,"config":
    {"response_type":"code",
     "realm":"kong","redirect_after_logout_uri":"\/","scope":"openid",
     "token_endpoint_auth_method":"client_secret_post",
     "client_secret":"xxxxxxxx",
     "client_id":"xxxxxxxx",
     "bearer_only":"no","ssl_verify":"no",
     "discovery":"https:\/\/dev-890645.okta.com\/oauth2\/default\/.well-known\/openid-configuration",
     "logout_path":"\/logout"},"id":"413a301b-1c3a-4d20-9f49-8c88bcf55bd1",
     "enabled":true,
     "name":"oidc","api_id":"b3569d9b-4947-4938-9208-d02fd5819443"}]}

now, when I make access to http://localhost:8000/api/v1/useradm/auth/ssologin I get expected result
I’m redirect to okta for authentication and after that kong redirects to my user-service with X-Userinfo

however when I hit
http://my.server.com/api/v1/useradm/auth/ssologin
I’m not getting X-Userinfo in my service endpoint

( my.server.com is resolved from hosts file )

Where did I go wrong?

I’ve tried another approach but got similar result

I have nginx running in front of kong proxying requests to kong

server {
        listen 80;
        listen [::]:80;

        root /var/www/ui.myserver.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name ui.myserver.com;

        location / {
             proxy_set_header Host $host;
             proxy_set_header                X-Real-IP       $remote_addr;
             proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_pass http://localhost:8000;
        }
}

kong is configured with oidc plugin on route /api/useradm/auth

when I try to access

ui.myserver.com/api/useradm/auth from the browser I’m successfully redirected to okta login and after login I’m getting message in browser
" request to the redirect_uri_path but there’s no session state found, client"

this is from the kong error log

2019/05/08 14:11:26 [error] 60#0: *20941 [lua] openidc.lua:1173: authenticate(): request to the redirect_uri_path but there's no session state found, client: 172.18.0.1, server: kong, request: "GET /api/useradm/auth
/ssologin/?code=vFmkQszypbIGViU-qbk4&state=835215504ec60c3a7142c5e7a6b84489 HTTP/1.0", host: "ui.myserver.com"

I have resolved this with using set session_secret in nginx-kong.conf and using config.session_secret in kong-oidc plugin

Care to explain more the configuration settings?


© 2018 Kong Inc.    Terms  •  Privacy  •  FAQ