skip to Main Content

am trying to use kong oicd with keycloak 19.0.3 to secure my app and that my Dockerfile

FROM kong/kong:2.7.0

ENV OIDC_PLUGIN_VERSION=1.2.3-2
ENV GIT_VERSION=2.24.4-r0
ENV UNZIP_VERSION=6.0-r7
ENV LUAROCKS_VERSION=2.4.4-r1


USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc

RUN git clone --branch v1.2.3-2 https://github.com/revomatico/kong-oidc.git
WORKDIR /kong-oidc
RUN luarocks make

RUN luarocks pack kong-oidc ${OIDC_PLUGIN_VERSION} 
     && luarocks install kong-oidc-${OIDC_PLUGIN_VERSION}.all.rock

WORKDIR /
RUN git clone --branch 20200505-access-token-processing https://github.com/BGaunitz/kong-plugin-jwt-keycloak.git
WORKDIR /kong-plugin-jwt-keycloak
RUN luarocks make

RUN luarocks pack kong-plugin-jwt-keycloak ${JWT_PLUGIN_VERSION} 
     && luarocks install kong-plugin-jwt-keycloak-${JWT_PLUGIN_VERSION}.all.rock

USER kong

i did configure by passing the client id and client secret and the descovery endpoint

enter image description here
enter image description here

when i visit the configured route in kong i get redirected to keycloak to authenticate and after success auth i get redirected back to my app but when i check the headers i find no x-userUnfo and i find only session cookie am i missing something ?
enter image description here

am using nginx as an app to test in my case

2

Answers


  1. You wont’t see those request headers in the request from your browser to Kong but in the upstream request from Kong to your service. The OIDC plugin will inject them.

    One note about the jwt-keycloak plugin: you have to change its prority, e.g. to

    ENV JWT_KEYCLOAK_PRIORITY="900"
    

    Otherwise it will be executed before the OIDC plugin but you want to have it afterwards.

    Login or Signup to reply.
  2. I’m using https://github.com/revomatico/kong-oidc for oidc and https://github.com/hanfi/kong-plugin-jwt-keycloak for jwt.
    I enabled 2 plugin with scope required is user.
    When i get access token and connect to service with:

    #!/bin/bash
    
    auth_url='http://localhost:8080/'
    realm_name='kong'
    client_id='kong_client'
    client_secret='CEkLLq8qhWvHhccWxk5LSirfWM0hkcDm'
    username='user1'
    password='123abc'
    url='http://localhost:8000/httpbin2'
    token=$(curl -X POST 
        "${auth_url}/realms/${realm_name}/protocol/openid-connect/token" 
        -H "Content-Type: application/x-www-form-urlencoded" 
        -d "client_id=${client_id}" 
        -d "client_secret=${client_secret}" 
        -d "username=${username}" 
        -d "password=${password}" 
        -d "grant_type=password" | jq -r '.access_token')
    

    The connection successed authen with scope ‘user’.
    But when I visit the configured route in kong with browser i get redirected to keycloak to authenticate and after success auth i get this error:

    {"message":"Unauthorized"}

    . Is this error by cookie?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search