Simple OAuth2 Client Credential Flow Problem


#1

Hi
I’m trying to understand a simple Client Credentials flow using the OAuth2 plugin. I wish to use ‘http’, instead of ‘https’, hence the use of: config.accept_http_if_already_terminated=true and -H ‘x-forwarded-proto: https’

I am also using the latest version of Kong (0.13.1) although I’ve tried an earlier version too, but get the same error while trying to test a simple client credentials flow. The error is

{“error_description”:“Invalid grant_type”,“error”:“unsupported_grant_type”}

I have looked at a number of examples on the web and also the OAuth plugin documentation, but I’m still struggling to get an example working. The steps I am taking are shown below. I am obviously doing something wrong and so any advice how to get a simple client credentials example flow working using http would be appreciated.

Many thanks.

  1. FIRST - Create an API:

curl -X POST
http://kong:8001/apis/
-H ‘content-type: application/x-www-form-urlencoded’
-d’name=myapi21&hosts=kong&upstream_url=http://kong:8080/mypath’


  1. Enable oauth2 plugin (with client credential code flow)

curl -X POST
http://kong:8001/apis/7c091ce5-62cc-465d-98e8-027ef0fcdb68/plugins
-H ‘content-type: application/x-www-form-urlencoded’
-d ‘name=oauth2&config.enable_client_credentials=true&config.mandatory_scope=false&config.accept_http_if_already_terminated=true’

  1. Create a Consumer
    curl -X POST
    http://kong:8001/consumers
    -H ‘content-type: application/x-www-form-urlencoded’
    -d ‘custom_id=21&username=bobs21’

  1. Register the oauth2 client application (note redirect_uri has to be present (I think!) but is meaningless in this flow)
    curl -X POST
    http://kong:8001/consumers/68920c2a-c6bd-4225-8717-a06e46b0d354/oauth2
    -d ‘name=bobsTake21’
    -d ‘redirect_uri=http://kong:8000/bla/bla/bla’

  1. Next, Do a Base 64 encoding of client_id:client_secret. This is cmh4MVZ4eGJvRWx1cUlmd1NoOEFsVUREaTZ4TUFEMzc6b0R4TzBDazFBaWZPNjE5M1RSckdZNjJjUzlyOXMzNzU=

  2. Finally, now try to get Access Token:


curl -v -X POST
http://kong:8000/myapi21/oauth2/token
-H ‘authorization: Basic cmh4MVZ4eGJvRWx1cUlmd1NoOEFsVUREaTZ4TUFEMzc6b0R4TzBDazFBaWZPNjE5M1RSckdZNjJjUzlyOXMzNzU=’
-H ‘content-type: application/x-www-form-urlencoded’
-H ‘host: kong’
-H ‘x-forwarded-proto: https’
-d ‘client_id=rhx1VxxboEluqIfwSh8AlUDDi6xMAD37&grant_type=client_credentials’

{“error_description”:“Invalid grant_type”,“error”:“unsupported_grant_type”}


#2

Hi

I’m still struggling with this. Does anyone have a simple step by step example they could direct me towards to illustrate the Client Credentials flow using the Kong OAuth plugin and using ‘http’, rather than ‘https’:

config.accept_http_if_already_terminated=true set
and
header set for: ‘x-forwarded-proto: https’ ?

As someone new to Kong (and the OAuth2 plugin) the plugin documentation gets me only so far (please see my original question) before I get an error, but a real working example would be much appreciated. Many thanks.


#3

I will respond here although not entirely sure I understand the Oauth2 flow you are trying, I personally use client credentials w https. First few things I have seen using Kong:

  1. I have never gotten Oauth2 client creds to work on an http proxy transaction, and for good reason. Doing any API transaction over pure HTTP is a good way to get the temp keys sniffed so I highly recommend enabling TLS on client+kong end.

Call the Oauth2 endpoint like so:

$ curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'https://gateway.com/api/test/oauth2/token -d 'grant_type=client_credentials&client_id=ns4fQc14Zg4hKFCNaSzArVuwszX95X&client_secret=ZIjFyTsNgQNyxI'
  1. Once you get a token back from the Oauth2 Endpoint make sure you include the
Authorization: Bearer <token>

In the REST HTTP Headers on the 'https://gateway.com/api/test endpoint.

I personally do not use the b64 encodings and such so can’t be much help there but the above works for me today over https. No reason to not use TLS on API transactions in today’s landscape.


#4

Hi, thanks for that.

The reason for preferring to use ‘http’ rather than ‘https’ on the simple POC is to do with firewall access issues. But I take your point; I need to fix that first and then, as you suggest, I’ll re-try using https.

Many thanks for your help.


#5

I know this was a little while ago, but I came across this post looking to do the exact same thing and figured it out so I wanted to reply. I’m doing some local testing with the OAuth2 plugin and didn’t need to set up SSL for that. To get it to work, I added my local ip(s) to the trusted_ip setting in kong.conf and then when I sent the request specified the X-Fowarded-Proto as https. Of course, I also have accept_http_if_already_terminated set to true and it appears to be working. I am at least able to get a token using the password grant flow.