Hi,
I have deployed Kong Ingress Controller (dbless) and created an OIDC Kong Plugin (Okta) which looks like this:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: oidc-auth
config:
issuer: https://<okta_domain>/oauth2/default/.well-known/openid-configuration
client_id:
- XXXXXXXX
client_secret:
- XXXXXX
redirect_uri:
- https://<some_host>/<some_resource>
http_proxy: http://<some_proxy>:/
https_proxy: http://<some_proxy>:/
plugin: openid-connect
I have also created an Ingress Rule referencing the KongPlugin in
annotations: konghq.com/plugins: oidc-auth
However when I try to access my resource, I get a 500 error code and the Kong-Proxy logs show the following message:
2020/06/26 15:39:20 [notice] 22#0: *239609 [lua] cache.lua:371: [openid-connect] loading configuration for https://<okta_domain>/oauth2/default/.well-known/openid-configuration from database, client: XX.XXX.X.X, server: kong, request: “HEAD /users HTTP/1.1”, host: “<Some_DNS>”
Hi Satwant,
Unfortunately, https://<okta_domain>/oauth2/default does not work, as https://<okta_domain>/oauth2/default/.well-known/openid-configuration is the Okta endpoint which gives all the information needed to get the Autorization and Token Introspection endpoints. The strange thing is that there are not error when https://<okta_domain>/oauth2/default/.well-known/openid-configuration is invoked, but still I see an error showing that the “Authorization Point was not specified”, although The Authorization enpoint is returned in the result of the https://<okta_domain>/oauth2/default/.well-known/openid-configuration invocation.
Is there any additionnal configuration of the OpenID COnnect Kong Plugin that has to be done?
Hi Satwant,
Thank you.
Actually I was able to solve the issue by adding the authorization_endpoint and the token_endpoint in the Kong Plugin configuration.
I think that this is due to the fact that there is a Http Proxy. I had also to set the http_proxy and https_proxy variables in the Kong Plugin configuration
Now it works.