Hi,
I’m using Kong EE 0.34-1.
I set up a service that’s protected by the OpenID Connect plugin and the ACL plugin with a whitelisted group, ‘admin’.
User authentication works as expected, with Kong picking up the correct group (‘admin’) from the Access Token for the authenticated user.
According to the OIDC plugin documentation the ACL plugin can apply ACLs based on the groups from the authenticated_groups_claim.
The Kong logs suggest that the ACL plugin ignores the groups because there’s no consumer involved (even though I specified an anonymous user):
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1792: [openid-connect] authenticated using session
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1798: [openid-connect] checking for access token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1804: [openid-connect] found access token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1816: [openid-connect] checking for access token expiration
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1819: [openid-connect] access token is valid and has not expired
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:1985: [openid-connect] verifying required scopes
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2007: [openid-connect] scopes found in jwt token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2046: [openid-connect] required scopes were found
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2142: [openid-connect] trying to find kong consumer
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2153: [openid-connect] trying to find consumer using id token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2156: [openid-connect] trying to find consumer using access token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2172: [openid-connect] kong consumer was not found
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2176: [openid-connect] kong consumer is optional
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:348: set_consumer(): [openid-connect] removing possible remnants of anonymous
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2222: [openid-connect] finding credential claim value
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2243: [openid-connect] credential claim found in jwt token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2268: [openid-connect] credential found 'd6bcc80f-d14b-4de2-8d6c-09fc56c34b06'
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2278: [openid-connect] finding authenticated groups claim value
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2299: [openid-connect] authenticated groups claim found in jwt token
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2324: [openid-connect] authenticated groups found 'admin'
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2332: [openid-connect] hiding session cookie from upstream
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2401: [openid-connect] setting upstream and downstream headers
2019/02/22 02:39:30 [debug] 70#0: *822 [lua] handler.lua:2593: [openid-connect] proxying to upstream
2019/02/22 02:39:30 [error] 70#0: *822 [lua] handler.lua:63: [acl plugin] Cannot identify the consumer, add an authentication plugin to use the ACL plugin, client: ...