Secure Kong Developer Portal using OIDC with Cognito

Hello, I’m trying to secure the Developer Portal using OIDC with Cognito.

I have followed the instructions from the official documentation: https://docs.konghq.com/gateway/2.7.x/configure/auth/oidc-cognito/

I have User Pool and User Pool Client set up in Cognito

Here’s my OIDC plugin configuration

{
  "scopes": [
    "openid",
    "profile",
    "email"
  ],
  "logout_methods": [
    "GET"
  ],
  "consumer_by": [
    "username",
    "custom_id",
    "id"
  ],
  "logout_query_arg": "logout",
  "login_action": "redirect",
  "consumer_claim": [
    "email"
  ],
  "login_redirect_mode": "query",
  "logout_redirect_uri": [
    "https://<COGNITO_DOMAIN>/logout?client_id=<CLIENT_ID>&logout_uri=<KONG_URI>:8446/default"
  ],
  "leeway": 100,
  "client_id": [
    "<CLIENT_ID>"
  ],
  "login_redirect_uri": [
    "https://<KONG_URI>:8446/default"
  ],
  "ssl_verify": false,
  "forbidden_redirect_uri": [
    "https://<KONG_URI>:8446/default/unauthorized"
  ],
  "login_tokens": {},
  "issuer": "https://<COGNITO_IDP_DOMAIN>/.well-known/openid-configuration",
  "redirect_uri": [
    "https://<KONG_URI>:8447/default/auth"
  ]
}

Now, with that configuration Kong redirects me to Cognito and when I pass valid credentials, Cognito redirects me back to the redirect_uri with authorization_code:

GET
https://<KONG_URI>:8447/default/auth?code=4310d8a4-30e8-4d24-97ba-57198ceff7c2&state=fG-v6C6umwzc1wpl1XRUdhZk

Response:
401

{"message":"Unauthorized"}

This is where I’m stuck. Kong isn’t exchanging the authorization_code for a token.

Do you have any ideas what am I missing?

Hi @bartek Please take a look at instructions in the documentation for enabling OIDC for dev portal here: Enable OpenID Connect in the Dev Portal - v2.7.x | Kong Docs. There may be subtle differences from the documentation you referred to and the best source is the documentation found under Kong Dev Portal section that I am sharing here.

Hey @theo.yeager Thank you for your response! I tried with the Dev Portal with no luck either.

Actually, I ended up with the very same error returned from Kong. I tried exchanging the authorization_code for the token manually by calling Cognito and it returned the token.

So I guess, this is some configuration thing, but I’m not sure what :confused:


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ