Secure Kong Developer Portal using OIDC with Cognito

Installation/Setup
1

Hello, I’m trying to secure the Developer Portal using OIDC with Cognito.

I have followed the instructions from the official documentation: https://docs.konghq.com/gateway/2.7.x/configure/auth/oidc-cognito/

I have User Pool and User Pool Client set up in Cognito

Here’s my OIDC plugin configuration

{
  "scopes": [
    "openid",
    "profile",
    "email"
  ],
  "logout_methods": [
    "GET"
  ],
  "consumer_by": [
    "username",
    "custom_id",
    "id"
  ],
  "logout_query_arg": "logout",
  "login_action": "redirect",
  "consumer_claim": [
    "email"
  ],
  "login_redirect_mode": "query",
  "logout_redirect_uri": [
    "https://<COGNITO_DOMAIN>/logout?client_id=<CLIENT_ID>&logout_uri=<KONG_URI>:8446/default"
  ],
  "leeway": 100,
  "client_id": [
    "<CLIENT_ID>"
  ],
  "login_redirect_uri": [
    "https://<KONG_URI>:8446/default"
  ],
  "ssl_verify": false,
  "forbidden_redirect_uri": [
    "https://<KONG_URI>:8446/default/unauthorized"
  ],
  "login_tokens": {},
  "issuer": "https://<COGNITO_IDP_DOMAIN>/.well-known/openid-configuration",
  "redirect_uri": [
    "https://<KONG_URI>:8447/default/auth"
  ]
}

Now, with that configuration Kong redirects me to Cognito and when I pass valid credentials, Cognito redirects me back to the redirect_uri with authorization_code:

GET
https://<KONG_URI>:8447/default/auth?code=4310d8a4-30e8-4d24-97ba-57198ceff7c2&state=fG-v6C6umwzc1wpl1XRUdhZk

Response:
401

{"message":"Unauthorized"}

This is where I’m stuck. Kong isn’t exchanging the authorization_code for a token.

Do you have any ideas what am I missing?

1 Like
2

Hi @bartek Please take a look at instructions in the documentation for enabling OIDC for dev portal here: Enable OpenID Connect in the Dev Portal - v2.7.x | Kong Docs. There may be subtle differences from the documentation you referred to and the best source is the documentation found under Kong Dev Portal section that I am sharing here.

3

Hey @theo.yeager Thank you for your response! I tried with the Dev Portal with no luck either.

Actually, I ended up with the very same error returned from Kong. I tried exchanging the authorization_code for the token manually by calling Cognito and it returned the token.

So I guess, this is some configuration thing, but I’m not sure what :confused:

1 Like
4

I’m having this exact same issue with all the same symptoms. I’ve looked through the linked doc and many others with no success. I put in a support ticket for help with this issue and will post whatever the fix is here as this thread comes up when searching for the issue.

5

We were able to resolve this issue by changing a setting in the portal_auth_conf setting (or KONG_PORTAL_AUTH_CONF if using an environment variable). Add this to the json.

"token_endpoint_auth_method: none"

More info in the parameters section of this page, search for token_endpoint_auth_method:

My understanding is the cognito doc tells you to turn off client secret generation, this setting tells kong not to expect the client secret on the cookie in the callback coming back from the cognito user registration process.

This is the log we found in the debug log that led us to this solution:

2022/03/03 17:35:25 [notice] 2062#0: *2918 [lua] responses.lua:21: [openid-connect] supported token endpoint authentication method was not found, client: CLIENTIP, server: portal_api, request: "GET /default/auth?code=CODESTRING&state=STATESTRING HTTP/2.0", host: "APIHOSTNAME:8447", referrer: "COGNITOPOOLURL"
172.26.0.1 - - [03/Mar/2022:17:35:25 +0000] "GET /default/auth?code=CODESTRING&state=STATESTRING HTTP/2.0" 401 26 "COGNITOPOOLURL" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"

You will run into this issue when trying to configure cognito following the doc so hopefully this is sent up as a doc bug. If not hopefully this post helps others having this issue.

6

This config works for me

{
  "leeway": 1000,
  "scopes": [
    "openid"
  ],
  "client_secret": [
    "<client_secret>"
  ],
  "login_action": "redirect",
  "logout_query_arg": "logout",
  "logout_methods": [
    "GET"
  ],
  "consumer_by": [
    "username",
    "custom_id"
  ],
  "ssl_verify": false,
  "issuer": "https://<cognito_domain>/.well-known/openid-configuration",
  "consumer_claim": [
    "email"
  ],
  "login_redirect_uri": [
    "https://<dev-portal>:8446"
  ],
  "logout_redirect_uri": [
    "https://<dev-portal>:8446"
  ],
  "redirect_uri": [
    "https://<dev-portal-api>:8447/default/auth"
  ],
  "login_redirect_mode": "query",
  "client_id": [
    "<client_id>"
  ]
}