mogui / kong-external-oauth Goto Github PK

@mogui
We have installed plugin inside docker container. After that we are trying to run new installed docker image .Getting below issue. Please help to get this resolve. Thanks in advance !!

1. First we run kong container
2. clone your plugin into running kong docker container.
   Logs after installation inside docker container(/ # luarocks install external-oauth
   Warning: The directory '/root/.cache/luarocks' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing /usr/local/bin/luarocks with sudo, you may want sudo's -H flag.
   Warning: falling back to curl - install luasec to get native HTTPS support
   Installing https://luarocks.org/external-oauth-1.1-5.src.rock
   external-oauth 1.1-5 is now installed in /usr/local (license: Apache 2.0)
   )
3. Install using (luarocks install external-oauth) inside docker container
4. save container with new image name
5. run newly create image with env (-e "KONG_PLUGINS=external-oauth" ).

Getting below issue while running.

lugins/external-oauth/access.lua:20: module 'crypto' not found:No LuaRocks module found for crypto
no field package.preload['crypto']
no file './crypto.lua'
no file './crypto/init.lua'
no file '/usr/local/openresty/site/lualib/crypto.ljbc'
no file '/usr/local/openresty/site/lualib/crypto/init.ljbc'
no file '/usr/local/openresty/lualib/crypto.ljbc'
no file '/usr/local/openresty/lualib/crypto/init.ljbc'
no file '/usr/local/openresty/site/lualib/crypto.lua'
no file '/usr/local/openresty/site/lualib/crypto/init.lua'
no file '/usr/local/openresty/lualib/crypto.lua'
no file '/usr/local/openresty/lualib/crypto/init.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/crypto.lua'
no file '/usr/local/share/lua/5.1/crypto.lua'
no file '/usr/local/share/lua/5.1/crypto/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/crypto.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/crypto/init.lua'
no file '/root/.luarocks/share/lua/5.1/crypto.lua'
no file '/root/.luarocks/share/lua/5.1/crypto/init.lua'
no file '/usr/local/openresty/site/lualib/crypto.so'
no file '/usr/local/openresty/lualib/crypto.so'
no file './crypto.so'
no file '/usr/local/lib/lua/5.1/crypto.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/crypto.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/root/.luarocks/lib/lua/5.1/crypto.so'
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/tools/utils.lua:576: in function 'load_module_if_exists'
/usr/local/share/lua/5.1/kong/init.lua:122: in function 'load_plugins'
/usr/local/share/lua/5.1/kong/init.lua:204: in function 'init'
init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/tools/utils.lua:576: ...cal/share/lua/5.1/kong/plugins/external-oauth/access.lua:20: module 'crypto' not found:No LuaRocks module found for crypto
no field package.preload['crypto']
no file './crypto.lua'
no file './crypto/init.lua'

As you were correctly writing here, I do think that the idea that kong is making an additional (and blocking) http request every time I'm accessing an API is an overkill, thous storing the thing in a cookie is definitely a better idea. Would you be willing to accept a pull request implementing that behaviour?

I just made some performance tests:

Percentage of the requests served within a certain time (ms)
  50%      2
  66%      3
  75%      3
  80%      3
  90%      3
  95%      3
  98%      4
  99%      5
 100%      8 (longest request)

With the plugin:

Percentage of the requests served within a certain time (ms)
  50%     61
  66%     70
  75%     78
  80%     83
  90%    118
  95%    157
  98%    238
  99%    352
 100%    455 (longest request)

The impact seems to be really noticeable and I think we could cache some things around and not compute these every single time. I'll try to look into that!

In handle_callback when there is no res it tries to reference res.status, this throws an error "attempt to index local 'res' (a nil value)"

I'll be happy to PR this, but what is the appropriate response code? 500?

At the end it looks like it is trying to return a 200 (OK), but that doesn't seem correct either.

        if not res then
            ngx.status = res.status
            ngx.say("failed to request: ", err)
            ngx.exit(ngx.HTTP_OK)
        end

There are several other blocks inside of handle_callback that do similar, seemingly setting an error response to turn around and exit with a 200:

        if not access_token then
            ngx.status = 500
            ngx.say(json.error_description)
            ngx.exit(ngx.HTTP_OK)
        end

    else
        ngx.status = ngx.HTTP_BAD_REQUEST
        ngx.say("User has denied access to the resources.")
        ngx.exit(ngx.HTTP_OK)
    end

Again, I'll happily PR these, but need to know the proper return codes for each.

I noticed that currently there is no way to utilize external oauth alongside ACL's as the ACL stuff doesn't recognize that auth has been completed. I'm still digging (deep) through the code to find a resolution, but it seems from my initial poking around that the CONSUMER_ID must be set.

I'm getting the following error after adding the plugin:

Error: /usr/local/share/lua/5.1/kong/cmd/start.lua:51: nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:170: external-oauth plugin is in use but not enabled
stack traceback:
	[C]: in function 'assert'
	/usr/local/share/lua/5.1/kong/init.lua:170: in function 'init'
	init_by_lua:3: in main chunk

When trying to install external oauth with Lua 5.1 and latest rocks I'm getting the error "Couldn't extract archive kong-external-oauth: unrecognized filename extension"

Now I realize that this "typically" means that the extractor necessary isn't installed on the host, but I validated that I have unzip, tar, and gzip installed properly. Not real sure what is wrong here. Any thoughts?

Tail of the logs (only the important bits I hope):

os.execute: 	cd '/home/jdarling/luarocks-2.4.1' && test '-d' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
  1 (number): 0

os.execute: 	cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && unzip -n '/tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz/external-oauth-1.0-3.src.rock'
Archive:  /tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz/external-oauth-1.0-3.src.rock
  inflating: external-oauth-1.0-3.rockspec  
  inflating: kong-external-oauth     
Results: 1
  1 (number): 0

os.execute: 	cd '/home/jdarling/luarocks-2.4.1' && test '-d' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
  1 (number): 0

os.execute: 	cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && test '-e' 'external-oauth-1.0-3.rockspec'
Results: 1
  1 (number): 0

os.execute: 	cd '/tmp/luarocks_external-oauth-1.0-3-bo42oU' && test '-d' '/home/jdarling/.luarocks/lib/luarocks/rocks/external-oauth/1.0-3'
Results: 1
  1 (number): 256

os.execute: 	cd '/' && rm '-rf' '/tmp/luarocks_external-oauth-1.0-3-bo42oU'
Results: 1
  1 (number): 0

os.execute: 	cd '/' && rm '-rf' '/tmp/luarocks_luarocks-rock-external-oauth-1.0-3-RTLCpz'
Results: 1
  1 (number): 0

Does this plugin support the password grant flow?

1. Will this work with Kong 0.11.x ? I noticed the plugin is not in the format of kong/plugins/external-oauth

2. I see references in your naming convention to OpenID connect for parameters, does this plugin solve the auth flow for consumers to utilize an existing openID account to connect to an identity provider to validate their authorization within Kong? (I am slightly new to what OpenID connect is, but it seems like it's a oauth+jwt combination to achieve decentralized authentication. If this is accomplishing that then that is awesome cause I need it!).

3. Any chance you could paste in a few of the CURLS that handle enabling this plugin on top of a consumer as well as the front end curl call examples for a dummy API call a consumer would then make? I would think you have some from your testing of it?

4. I read in a prior Issue it does not work with ACL? So how do you limit access on a per consumer basis? Do you have to establish multiple proxy endpoints with the plugin associated to each different proxy then?

Correspondence via email would be great if you have any time, I might be able to build upon it if needed!
[email protected]

Thanks!

I would have expected the X-OAUTH-email header to be set in the proxied upstream request, but it is set in the response header as far as I understand and can see via httpbin

Hello!

Good job on the plugin! We are happy to see members of the community stepping forward and publishing Kong plugins on Luarocks :)

As of now, we don't offer you yet a way to advertise your plugin on https://getkong.org/plugins, but are planning to in the future. In the meantime, feel free to publish an announcement on the Kong Mailing List, as I am sure it will give you some exposition and peak the interest some of the Kong users out there.

[ANN] Community Plugin - external-oauth 1.0

Just a suggestion :)

Best,
Thibault

Does this plugin provide functionality and flow similar to the Kong enterprise plugin "OAuth 2.0 Introspection". Their flow seem like what I need but we won't be able to implement the enterprise version.

Thanks
Rob

We are hoping that this project for kong will continue as to support OAuth2.0 :(