OpenID Connect Plugin Okta Integration Issue

Questions
1

Hi,
I have deployed Kong Ingress Controller (dbless) and created an OIDC Kong Plugin (Okta) which looks like this:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: oidc-auth
config:
issuer: https://<okta_domain>/oauth2/default/.well-known/openid-configuration
client_id:
- XXXXXXXX
client_secret:
- XXXXXX
redirect_uri:
- https://<some_host>/<some_resource>
http_proxy: http://<some_proxy>:/
https_proxy: http://<some_proxy>:/
plugin: openid-connect

I have also created an Ingress Rule referencing the KongPlugin in
annotations:
konghq.com/plugins: oidc-auth

However when I try to access my resource, I get a 500 error code and the Kong-Proxy logs show the following message:
2020/06/26 15:39:20 [notice] 22#0: *239609 [lua] cache.lua:371: [openid-connect] loading configuration for https://<okta_domain>/oauth2/default/.well-known/openid-configuration from database, client: XX.XXX.X.X, server: kong, request: “HEAD /users HTTP/1.1”, host: “<Some_DNS>”

2020/06/26 15:39:20 [error] 22#0: *239609 [lua] handler.lua:98: [openid-connect] authorization endpoint was not specified, client: XX.XX.X.X, server: kong, request: “HEAD /users HTTP/1.1”, host: “<some_host>”

99.198.2.1 - - [26/Jun/2020:15:39:20 +0000] “HEAD /users HTTP/1.1” 500 0 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36”

What would be the reason for this issue “authorization endpoint was not specified” ?

Thanks
Jon

2

Could you change issuer: https://<okta_domain>/oauth2/default

3

Hi Satwant,
Unfortunately, https://<okta_domain>/oauth2/default does not work, as https://<okta_domain>/oauth2/default/.well-known/openid-configuration is the Okta endpoint which gives all the information needed to get the Autorization and Token Introspection endpoints. The strange thing is that there are not error when https://<okta_domain>/oauth2/default/.well-known/openid-configuration is invoked, but still I see an error showing that the “Authorization Point was not specified”, although The Authorization enpoint is returned in the result of the https://<okta_domain>/oauth2/default/.well-known/openid-configuration invocation.

Is there any additionnal configuration of the OpenID COnnect Kong Plugin that has to be done?

Thanks
Jon

4

I just tested it out with following version
repository: kong-docker-kong-enterprise-k8s.bintray.io/kong-enterprise-k8s
tag: 2.0.4.1-alpine
Deployed a httpbin service
kubectl apply -f https://bit.ly/k8s-httpbin

Here is my OIDC plugin configuration

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: okta-oidc-pl
disabled: false
config:
client_id:
- myclientxxxx
client_secret:
- mysecretxxxx
issuer: https://dev-xxxxx.okta.com/oauth2/myauthserverxxxx/.well-known/openid-configuration
redirect_uri:
- http://myhostxxxx/bin/get
plugin: openid-connect

ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: okta-bin
annotations:
konghq.com/strip-path: “true”
konghq.com/plugins: okta-oidc-pl
spec:
rules:

  • http:
    paths:
    • path: /bin
      backend:
      serviceName: httpbin
      servicePort: 80

And it all works when i make a request get redirected for okta to authenticate

10.128.0.18 - - [28/Jun/2020:00:13:34 +0000] “GET /bin/get HTTP/1.1” 302 110 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0”
2020/06/28 00:14:19 [notice] 22#0: *7823 [lua] cache.lua:672: tokens_load(): [openid-connect] loading tokens from the identity provider, client: 10.128.0.18, server: kong, request: “GET /bin/get?code=86mfkxV0PV-xSENljzxT&state=l5zpKUeN6kEJ9ASdxe56E1_4 HTTP/1.1”, host: “myhostxxxxxx”
10.128.0.18 - - [28/Jun/2020:00:14:19 +0000] “GET /bin/get?code=86mfkxV0PV-xSENljzxT&state=l5zpKUeN6kEJ9ASdxe56E1_4 HTTP/1.1” 200 1373 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0”

Maybe try deleting your plugin and reconfiguring also make sure your authorization server is setup correctly

5

Hi Satwant,
Thank you.
Actually I was able to solve the issue by adding the authorization_endpoint and the token_endpoint in the Kong Plugin configuration.
I think that this is due to the fact that there is a Http Proxy. I had also to set the http_proxy and https_proxy variables in the Kong Plugin configuration
Now it works.

Thank you
Best Regards
Jon