mogui / kong-external-oauth Goto Github PK
View Code? Open in Web Editor NEWA Kong plugin, that let you use an external Oauth 2.0 provider to protect your API
License: Apache License 2.0
A Kong plugin, that let you use an external Oauth 2.0 provider to protect your API
License: Apache License 2.0
@mogui
We have installed plugin inside docker container. After that we are trying to run new installed docker image .Getting below issue. Please help to get this resolve. Thanks in advance !!
Getting below issue while running.
lugins/external-oauth/access.lua:20: module 'crypto' not found:No LuaRocks module found for crypto
no field package.preload['crypto']
no file './crypto.lua'
no file './crypto/init.lua'
no file '/usr/local/openresty/site/lualib/crypto.ljbc'
no file '/usr/local/openresty/site/lualib/crypto/init.ljbc'
no file '/usr/local/openresty/lualib/crypto.ljbc'
no file '/usr/local/openresty/lualib/crypto/init.ljbc'
no file '/usr/local/openresty/site/lualib/crypto.lua'
no file '/usr/local/openresty/site/lualib/crypto/init.lua'
no file '/usr/local/openresty/lualib/crypto.lua'
no file '/usr/local/openresty/lualib/crypto/init.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/crypto.lua'
no file '/usr/local/share/lua/5.1/crypto.lua'
no file '/usr/local/share/lua/5.1/crypto/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/crypto.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/crypto/init.lua'
no file '/root/.luarocks/share/lua/5.1/crypto.lua'
no file '/root/.luarocks/share/lua/5.1/crypto/init.lua'
no file '/usr/local/openresty/site/lualib/crypto.so'
no file '/usr/local/openresty/lualib/crypto.so'
no file './crypto.so'
no file '/usr/local/lib/lua/5.1/crypto.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/crypto.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/root/.luarocks/lib/lua/5.1/crypto.so'
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/tools/utils.lua:576: in function 'load_module_if_exists'
/usr/local/share/lua/5.1/kong/init.lua:122: in function 'load_plugins'
/usr/local/share/lua/5.1/kong/init.lua:204: in function 'init'
init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/tools/utils.lua:576: ...cal/share/lua/5.1/kong/plugins/external-oauth/access.lua:20: module 'crypto' not found:No LuaRocks module found for crypto
no field package.preload['crypto']
no file './crypto.lua'
no file './crypto/init.lua'
As you were correctly writing here, I do think that the idea that kong is making an additional (and blocking) http request every time I'm accessing an API is an overkill, thous storing the thing in a cookie is definitely a better idea. Would you be willing to accept a pull request implementing that behaviour?
I just made some performance tests:
Percentage of the requests served within a certain time (ms)
50% 2
66% 3
75% 3
80% 3
90% 3
95% 3
98% 4
99% 5
100% 8 (longest request)
With the plugin:
Percentage of the requests served within a certain time (ms)
50% 61
66% 70
75% 78
80% 83
90% 118
95% 157
98% 238
99% 352
100% 455 (longest request)
The impact seems to be really noticeable and I think we could cache some things around and not compute these every single time. I'll try to look into that!
In handle_callback when there is no res it tries to reference res.status, this throws an error "attempt to index local 'res' (a nil value)"
I'll be happy to PR this, but what is the appropriate response code? 500?
At the end it looks like it is trying to return a 200 (OK), but that doesn't seem correct either.
if not res then
ngx.status = res.status
ngx.say("failed to request: ", err)
ngx.exit(ngx.HTTP_OK)
end
There are several other blocks inside of handle_callback that do similar, seemingly setting an error response to turn around and exit with a 200:
if not access_token then
ngx.status = 500
ngx.say(json.error_description)
ngx.exit(ngx.HTTP_OK)
end
else
ngx.status = ngx.HTTP_BAD_REQUEST
ngx.say("User has denied access to the resources.")
ngx.exit(ngx.HTTP_OK)
end
Again, I'll happily PR these, but need to know the proper return codes for each.
I noticed that currently there is no way to utilize external oauth alongside ACL's as the ACL stuff doesn't recognize that auth has been completed. I'm still digging (deep) through the code to find a resolution, but it seems from my initial poking around that the CONSUMER_ID must be set.
I'm getting the following error after adding the plugin:
Error: /usr/local/share/lua/5.1/kong/cmd/start.lua:51: nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:170: external-oauth plugin is in use but not enabled
stack traceback:
[C]: in function 'assert'
/usr/local/share/lua/5.1/kong/init.lua:170: in function 'init'
init_by_lua:3: in main chunk
When trying to install external oauth with Lua 5.1 and latest rocks I'm getting the error "Couldn't extract archive kong-external-oauth: unrecognized filename extension"
Now I realize that this "typically" means that the extractor necessary isn't installed on the host, but I validated that I have unzip, tar, and gzip installed properly. Not real sure what is wrong here. Any thoughts?
Tail of the logs (only the important bits I hope):
os.execute: cd '/home/jdarling/luarocks-2.4.1' && test '-d' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
1 (number): 0
os.execute: cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && unzip -n '/tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz/external-oauth-1.0-3.src.rock'
Archive: /tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz/external-oauth-1.0-3.src.rock
inflating: external-oauth-1.0-3.rockspec
inflating: kong-external-oauth
Results: 1
1 (number): 0
os.execute: cd '/home/jdarling/luarocks-2.4.1' && test '-d' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
1 (number): 0
os.execute: cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && test '-e' 'external-oauth-1.0-3.rockspec'
Results: 1
1 (number): 0
os.execute: cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && test '-d' '/home/jdarling/.luarocks/lib/luarocks/rocks/external-oauth/1.0-3'
Results: 1
1 (number): 256
os.execute: cd '/' && rm '-rf' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
1 (number): 0
os.execute: cd '/' && rm '-rf' '/tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz'
Results: 1
1 (number): 0
Does this plugin support the password grant flow?
Will this work with Kong 0.11.x ? I noticed the plugin is not in the format of kong/plugins/external-oauth
I see references in your naming convention to OpenID connect for parameters, does this plugin solve the auth flow for consumers to utilize an existing openID account to connect to an identity provider to validate their authorization within Kong? (I am slightly new to what OpenID connect is, but it seems like it's a oauth+jwt combination to achieve decentralized authentication. If this is accomplishing that then that is awesome cause I need it!).
Any chance you could paste in a few of the CURLS that handle enabling this plugin on top of a consumer as well as the front end curl call examples for a dummy API call a consumer would then make? I would think you have some from your testing of it?
I read in a prior Issue it does not work with ACL? So how do you limit access on a per consumer basis? Do you have to establish multiple proxy endpoints with the plugin associated to each different proxy then?
Correspondence via email would be great if you have any time, I might be able to build upon it if needed!
[email protected]
Thanks!
I would have expected the X-OAUTH-email
header to be set in the proxied upstream request, but it is set in the response header as far as I understand and can see via httpbin
Hello!
Good job on the plugin! We are happy to see members of the community stepping forward and publishing Kong plugins on Luarocks :)
As of now, we don't offer you yet a way to advertise your plugin on https://getkong.org/plugins, but are planning to in the future. In the meantime, feel free to publish an announcement on the Kong Mailing List, as I am sure it will give you some exposition and peak the interest some of the Kong users out there.
[ANN] Community Plugin - external-oauth 1.0
Just a suggestion :)
Best,
Thibault
Does this plugin provide functionality and flow similar to the Kong enterprise plugin "OAuth 2.0 Introspection". Their flow seem like what I need but we won't be able to implement the enterprise version.
Thanks
Rob
We are hoping that this project for kong will continue as to support OAuth2.0 :(
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.