OICD plugin for both client credentials and access token

1

Hi All,

I am trying to configure OICD plugin with redhat-sso. Below is my plugin configuration.

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: oicd-plugin
config:
  client_id:
  - kong-cli
  client_secret:
  - dcd029c7-1070-437d-8f36-0f66
  hide_credentials: true
  issuer: https://sso.apps.nwk.com/auth/realms/ncaas
  auth_methods:
  - client_credentials
  - bearer
plugin: openid-connect

When I try to access the API with Basic base64{Client id:secret} header, plugin validate the request properly by communicating with sso server.

  1. But when I make the API request with Bearer {access token received from sso server}, validation fails and get the below error in the logs.

2020/04/22 04:54:48 [notice] 24#0: *1026628 [lua] handler.lua:694: [openid-connect] invalid azp claim (kong-test-user) was specified for access token, client: 172.16.15.2, server: kong, request: "POST /api/team HTTP/1.1"

  • Here “kong-test-user” is the client id of the party generating the API request and when I extract the information from the access token (jwt), I can see the azp claim properly in the patload, as “azp”: “kong-test-user”.
  1. hide_credentials config does not get applied to the properly validated request. Backend server still get an authorization header with the generated access token.

Appreciate your inputs to properly configure this plugin to validate API requests either with client credentials or access tokens.

Thanks!

2

I managed to fix this issue using the below configuration.

verify_claims: false

But, is it recommended to disable this config in production environments. Documentation [1] recommend to disable this only for debugging purposes.

[1] https://docs.konghq.com/hub/kong-inc/openid-connect/

Thanks!

3

@bungle Can you provide some insight here?

4

The verification of azp claim a bit problematic if you use different client than what you use for the plugin to acquire tokens. We may be able to loosen it, though I am not sure yet what is the best way to do it. Things like:

  • should you be able to specify your own clients in some additional parameter, such as config.allowed_azps
  • should you be able to specify claims for these standard verifications (which are causing pain as many idps don’t follow standards anyway), such as config.verify_claims_exclusions or otherway around.

Do you have any proposal?

5

@bungle, I didn’t find any specific configurations to disable any selected claims in the current releases. If it is available, that will be better in security perspective rather than disabling all the claim validations.

@hbagdi, I grabbed as much as information for the original post. If you need any explicit information, I can provide. Basically I am trying to understand the impact of disabling all the claim validations at oicd plugin, in a production systems.

6

@danuka92,

Yes, I was just playing around with ideas. One additional idea is to have perhaps a bit more relaxed standard claims verification with bearer tokens. At the moment, yes, you can disable verify_claims. The signature is checked and expiry is checked even when that is disabled. I will think how to make it more flexible. Ideas are welcomed too.