revomatico / docker-kong-oidc Goto Github PK
View Code? Open in Web Editor NEWKong + OIDC plugins
License: Apache License 2.0
Kong + OIDC plugins
License: Apache License 2.0
Hello all,
I am desperately trying to use the image with POSTGRES. Here is my docker-compose:
kong:
image: docker-kong-oidc:2.3.3-2
user: "${KONG_USER:-kong}"
depends_on:
- kong-db
environment:
- KONG_LOG_LEVEL=info
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr
- KONG_PORTAL_API_ACCESS_LOG=/dev/stdout
- KONG_PORTAL_API_ERROR_LOG=/dev/stderr
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_ANONYMOUS_REPORTS=false
- KONG_CLUSTER_LISTEN=off
- 'KONG_LUA_PACKAGE_PATH=/opt/?.lua;/opt/?/init.lua;;'
- KONG_NGINX_WORKER_PROCESSES=1
- 'KONG_PLUGINS=bundled,oidc'
- 'KONG_ADMIN_LISTEN=0.0.0.0:8001'
- 'KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 http2 ssl'
- 'KONG_STATUS_LISTEN=0.0.0.0:8100'
- KONG_NGINX_DAEMON=off
- 'KONG_X_SESSION_MEMCACHE_PORT=''1234'''
- KONG_X_SESSION_COMPRESSOR=zlib
- KONG_DATABASE=postgres
- KONG_PG_DATABASE=${KONG_PG_DATABASE:-kong}
- KONG_PG_HOST=kong-db
- KONG_PG_USER=${KONG_PG_USER:-kong}
- KONG_PG_PASSWORD_FILE=/run/secrets/kong_postgres_password
secrets:
- kong_postgres_password
networks:
- kong-net
ports:
- "8000:8000/tcp"
- "127.0.0.1:8001:8001/tcp"
- "8443:8443/tcp"
- "127.0.0.1:8444:8444/tcp"
healthcheck:
test: ["CMD", "kong", "health"]
interval: 10s
timeout: 10s
retries: 10
restart: on-failure
deploy:
restart_policy:
condition: on-failure
And there is the output I got from my kong-idc container on start:
kong_1 | 2021/04/09 14:42:49 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: New migrations available; run 'kong migrations up' to proceed
kong_1 | stack traceback:
kong_1 | [C]: in function 'error'
kong_1 | /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: in function 'check_state'
kong_1 | /usr/local/share/lua/5.1/kong/init.lua:456: in function 'init'
kong_1 | init_by_lua:3: in main chunk
kong_1 | nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: New migrations available; run 'kong migrations up' to proceed
kong_1 | stack traceback:
kong_1 | [C]: in function 'error'
kong_1 | /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: in function 'check_state'
kong_1 | /usr/local/share/lua/5.1/kong/init.lua:456: in function 'init'
kong_1 | init_by_lua:3: in main chunk
compose_kong_1 exited with code 1
I tried to use the image in db-less mode and it's work fine.
I also have in my docker-compose.yml services for migrations:
kong-migrations:
image: "${KONG_DOCKER_TAG:-kong:latest}"
command: kong migrations bootstrap
depends_on:
- kong-db
environment:
KONG_DATABASE: postgres
KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
KONG_PG_HOST: kong-db
KONG_PG_USER: ${KONG_PG_USER:-kong}
KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
secrets:
- kong_postgres_password
networks:
- kong-net
restart: on-failure
deploy:
restart_policy:
condition: on-failure
kong-migrations-up:
image: "${KONG_DOCKER_TAG:-kong:latest}"
command: kong migrations up && kong migrations finish
depends_on:
- kong-db
environment:
KONG_DATABASE: postgres
KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
KONG_PG_HOST: kong-db
KONG_PG_USER: ${KONG_PG_USER:-kong}
KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
secrets:
- kong_postgres_password
networks:
- kong-net
restart: on-failure
deploy:
restart_policy:
condition: on-failure
I have cleaned my POSTGRES volume and down/up many times, but I still got the same results.
I would also like to point out that using the standard version of Kong works fine:
image: "${KONG_DOCKER_TAG:-kong:latest}"
user: "${KONG_USER:-kong}"
depends_on:
- kong-db
environment:
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: '0.0.0.0:8001'
KONG_DATABASE: postgres
KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
KONG_PG_HOST: kong-db
KONG_PG_USER: ${KONG_PG_USER:-kong}
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
secrets:
- kong_postgres_password
networks:
- kong-net
ports:
- "8000:8000/tcp"
- "127.0.0.1:8001:8001/tcp"
- "8443:8443/tcp"
- "127.0.0.1:8444:8444/tcp"
healthcheck:
test: ["CMD", "kong", "health"]
interval: 10s
timeout: 10s
retries: 10
restart: on-failure
deploy:
restart_policy:
condition: on-failure
Thanks for your help
I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.
I've setup kong routes aligning with two keycloak realms like so:
/realm1/app/
/realm2/app/
Each realm has it's own OIDC client with unique keys/ name /client secret. I then add the related kong-oidc to each route.
Accessing /realm1/app I'm redirected properly to the realm1 login, and similarly for realm2. However, if I'm logged into realm1 with an active session, I can still access /realm2/app. Looking at the app logs, the active session when accessing realm2 is still for realm1.
Am I missing some crucial setting?
When I start docker-kong-oidc in db less mode - admin api cannot be accessed on http://localhost:8001.
However this works with official kong image.
Hi Team,
My existing Kong installation is done using the helm chart kong/kong v2.16.5, along with the docker-kong-oidc:3.1.1 image.
I tried to do a helm upgrade with the new 3.2.1 image and I found out that the base image for docker-kong-oidc has been upgraded from kong/kong:3.1.1-alpine to kong/kong-gateway:3.2.1.0-alpine. This has led to my existing Kong deployment to fail. I tried to connect to the admin endpoint and I get the following error:
Error: reading Kong version: making HTTP request: Get "https://kong-kong-admin.<namespace>:8444/": connection error: COMPRESSION_ERROR
Any reason behind this change of base image from kong/kong to kong/kong-gateway?
Thanks!
Hello, thanks for taking the time to put this together. I am unable to get kong pods to startup when I introduce multiple custom plugins. (KONG-PLUGINS=bundle,oidc,kong-http-to-https-redirect)
Firstly, I followed this tutorial by extending kong:1.0.3-centos
Dockerfile and things looked great until I introduce those custom plugins in the settings. I played around with them and noticed the following:
Here are my system specs:
- Kubernetes 1.13.3
- Kubespray offering on baremetal
- Kong version 1.0.3
- All nodes run centos7 kernel version 4.20
- Docker 18.09
kong-kong-7b769fd584-2f7mr 0/1 Init:0/1 0 6h31m
kong-kong-7b769fd584-cf9wz 0/1 Init:0/1 0 6h31m
kong-kong-init-migrations-f827m 0/1 Completed 0 6h31m
kong-kong-pre-upgrade-migrations-7cx2p 0/1 Completed 0 7h11m
Any help would be highly appreciated.
Thanks
We trying oidc plugins through kong fill some configuration like client id client secrets discovery etc
Aftr applying plugins, hit api url which is under the plugin they show no authorization header found
Can any help us out your guidance is more helpful for me
Thanks in advance
With v2.0.5-3, the directory "/usr/local/kong" gives a permission denied error when the container is used in a Kubernetes cluster. Checking (and changing) the permissions of that directory resolved the problem with containers not staring in Kubernetes.
Hi Team,
Kong revomatico oidc plugin is not able to resolve the discovery url for keycloak.
I have deployed kong revomatico oidc plugin and keycloak in kubernetes cluster.
configuration.
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: oidc
#namespace: core
config:
client_id: ${oidc_client_id}
client_secret: ${oidc_client_secret}
scope: openid
realm: kong
discovery: http://keycloak-discovery.core.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration
plugin: oidc
issue:
accessing discovery url (http://keycloak-discovery.core.svc.cluster.local:8080/auth/realms/SCORE_DEV/protocol/openid-connect/auth) failed: [cosocket] DNS resolution failed: dns server error: 3 name error.
Can I run this Kong image without setting up memcache or shm. Just use the default KONG_X_SESSION_STORAGE=cookie
settings?
Got this error when redirected back after successfully logged in from Keycloak.
openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: kong, request: "GET /cb?state=8c3eae03d96abf7ce7b9f91d0229fce2&session_state=0a7a489c-b5ba-4aeb-8f6b-52dc7481b596&code=d4eba5ac-ab77-4b5a-b7f4-b18efd9ac708.0a7a489c-b5ba-4aeb-8f6b-52dc7481b596.18885a48-8ea5-4d78-8eae-9fc2478fb0e5 HTTP/1.1", host: "localhost:18000"
OP: Keycloak.
-e KONG_X_SESSION_SECRET=Q211IzIwMTc=
-e KONG_X_SESSION_NAME=oidc_session \
kong-oidc session_secret set to Q211IzIwMTc=
Hello!
The problem is that in the Dockerfile from every version, the url that uses kong-oidc-<version>.rockspec is pointing towards revomatico/kong-oidc master branch, causing download failures.
For example: (revomatico/docker-kong-oidc version 2.4.1-1 -> KONG_OIDC_VER=1.2.3-1)
Dockerfile: https://raw.githubusercontent.com/revomatico/docker-kong-oidc/2.4.1-1/Dockerfile
In the line 39, it tries to download from this URL:
https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec
This URL will transform with the env-var substitution into:
https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-1.2.3-1.rockspec
The issue is that, on the master branch of revomatico/kong-oidc, there is no kong-oidc-1.2.3-1.rockspec, because it has been updated and now is kong-oidc-1.2.3-2.rockspec
The solution will be to modify every dockerfile to point to the correct url of the revomatico/kong-oidc version. In this case, the correct url would be:
https://raw.githubusercontent.com/revomatico/kong-oidc/v${KONG_OIDC_VER}/kong-oidc-${KONG_OIDC_VER}.rockspec
Hope it helps!
Hi, is there documentation that I can refer to for a proper setup and usage?
Hello Team,
I was trying to implement the service to service call via plugin authentication.
I expect the plugin will use client_credential grant flow and get me a bearer token which I will use to call the required service. There should not be any user interaction in authentication process. It should be with client id & secret only.
Do you know if plugin supports this behaviour? If yes, can you please help me configure it?
Hi,
When I try to use build.sh I get a 404 in curl, then build fails, as the following file does not exist.
https://raw.githubusercontent.com/Revomatico/kong-oidc/master/kong-oidc-1.1.0-1.rockspec
I want an images with bitnami/kong:3.3.0 comibine with oidc?? could you help me??
Here's the docker file that I'm running. (Only difference should be the kong.yml COPY command and the session_secret.
FROM kong/kong:2.5.1
USER root
LABEL authors="Rami Abusereya <[email protected]>,Cristian Chiru <[email protected]>"
ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
LUA_BASE_DIR="/usr/local/share/lua/5.1" \
KONG_OIDC_VER="1.2.3-2" \
LUA_RESTY_OIDC_VER="1.7.4-1" \
KONG_PLUGIN_SESSION_VER="2.4.5" \
NGX_DISTRIBUTED_SHM_VER="1.0.2"
COPY kong.yml /
RUN set -ex \
&& apk --no-cache add \
libssl1.1 \
openssl \
curl \
unzip \
git \
&& apk --no-cache add --virtual .build-dependencies \
make \
gcc \
openssl-dev \
\
## Install plugins
# Download ngx-distributed-shm dshm library
&& curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \
# Remove old lua-resty-session and dependent kong-plugin-session
&& luarocks remove --force kong-plugin-session \
&& luarocks remove --force lua-resty-session \
# Add Pluggable Compressors dependencies
&& luarocks install lua-ffi-zlib \
&& luarocks install penlight \
# Build kong-plugin-session
&& curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
&& luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
# Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
&& curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | \
sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec \
&& luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec \
# Patch nginx_kong.lua for kong-oidc session_secret
&& TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \
# May cause side effects when using another nginx under this kong, unless set to the same value
&& sed -i "/server_name kong;/a\ \n\
set_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" \
# Patch nginx_kong.lua to set dictionaries
&& sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\
variables_hash_max_size 2048;\n\
lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\
lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\
lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
> if x_session_storage == "shm" then\n\
lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
> end\n\
' "$TPL" \
# Patch nginx_kong.lua to add for memcached sessions
&& sed -i "/server_name kong;/a\ \n\
## Session:
set \$session_storage \${{X_SESSION_STORAGE}};\n\
set \$session_name \${{X_SESSION_NAME}};\n\
set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
## Session: Memcached specific
set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
## Session: DHSM specific
set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
## Session: SHM Specific
set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
" "$TPL" \
# Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
&& TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
&& sed -i "/\]\]/i\ \n\
x_session_storage = cookie\n\
x_session_name = oidc_session\n\
x_session_compressor = 'none'\n\
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
\n\
x_session_memcache_prefix = oidc_sessions\n\
x_session_memcache_connect_timeout = '1000'\n\
x_session_memcache_send_timeout = '1000'\n\
x_session_memcache_read_timeout = '1000'\n\
x_session_memcache_host = memcached\n\
x_session_memcache_port = '11211'\n\
x_session_memcache_uselocking = 'off'\n\
x_session_memcache_spinlockwait = '150'\n\
x_session_memcache_maxlockwait = '30'\n\
x_session_memcache_pool_timeout = '1000'\n\
x_session_memcache_pool_size = '10'\n\
\n\
x_session_dshm_region = oidc_sessions\n\
x_session_dshm_connect_timeout = '1000'\n\
x_session_dshm_send_timeout = '1000'\n\
x_session_dshm_read_timeout = '1000'\n\
x_session_dshm_host = hazelcast\n\
x_session_dshm_port = '4321'\n\
x_session_dshm_pool_name = oidc_sessions\n\
x_session_dshm_pool_timeout = '1000'\n\
x_session_dshm_pool_size = '10'\n\
x_session_dshm_pool_backlog = '10'\n\
\n\
x_session_shm_store_size = 5m\n\
x_session_shm_store = oidc_sessions\n\
x_session_shm_uselocking = off\n\
x_session_shm_lock_exptime = '30'\n\
x_session_shm_lock_timeout = '5'\n\
x_session_shm_lock_step = '0.001'\n\
x_session_shm_lock_ratio = '2'\n\
x_session_shm_lock_max_step = '0.5'\n\
\n\
x_oidc_cache_discovery_size = 128k\n\
x_oidc_cache_jwks_size = 128k\n\
x_oidc_cache_introspection_size = 128k\n\
\n\
" "$TPL" \
## Cleanup
&& rm -fr *.rock* \
&& apk del .build-dependencies 2>/dev/null \
## Create kong and working directory (https://github.com/Kong/kong/issues/2690)
&& mkdir -p /usr/local/kong \
&& chown -R kong:`id -gn kong` /usr/local/kong
USER kong
And the associated kong.yml is
_format_version: "1.1"
services:
- connect_timeout: 10000
host: echoserver
name: echoserver
port: 80
protocol: http
read_timeout: 5000
retries: 2
write_timeout: 5000
routes:
- hosts:
- echoserver:80
# id: 9c5c298c-1452-4c65-8d65-dcb1a4b4ea68
# path_handling: v0
# preserve_host: false
protocols:
- http
- https
# regex_priority: 0
# strip_path: true
# https_redirect_status_code: 426
plugins:
- name: oidc
config:
#access_token_header_as_bearer: "no"
access_token_header_name: X-Access-Token
bearer_only: "yes"
client_id: someconsumer
client_secret: somesecret
disable_access_token_header: "no"
disable_id_token_header: "no"
disable_userinfo_header: "no"
discovery: http://hydra-service:9000/.well-known/openid-configuration
filters: null
groups_claim: groups
id_token_header_name: X-ID-Token
ignore_auth_filters: ""
introspection_endpoint: http://hydra-service:9001/oauth2/introspect
introspection_endpoint_auth_method: null
logout_path: /logout
realm: kong
recovery_page_path: null
redirect_after_logout_uri: /
redirect_uri: http://example.com
response_type: token
revoke_tokens_on_logout: "no"
scope: openid
session_secret: null
ssl_verify: "no"
timeout: null
token_endpoint_auth_method: client_secret_post
unauth_action: auth
userinfo_header_name: X-USERINFO
enabled: true
protocols:
# - grpc
# - grpcs
- http
- https
And here's the log for what I get on trying to build this.
docker build -t kong-dbless kong-oidc/
[+] Building 76.6s (8/8) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 38B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/kong/kong:2.5.1 17.0s
=> [auth] kong/kong:pull token for registry-1.docker.io 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 30B 0.0s
=> [1/3] FROM docker.io/kong/kong:2.5.1@sha256:6f1ade744464ee261cc087dc63c89b47d9121111b8902f9ebbad499d2585dd15 0.0s
=> CACHED [2/3] COPY kong.yml / 0.0s
=> ERROR [3/3] RUN set -ex && apk --no-cache add libssl1.1 openssl curl unzip git && apk --no-cache 59.4s
------
> [3/3] RUN set -ex && apk --no-cache add libssl1.1 openssl curl unzip git && apk --no-cache add --virtual .build-dependencies make gcc openssl-dev && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/1.0.2/lua/dshm.lua > /usr/local/share/lua/5.1/resty/dshm.lua && luarocks remove --force kong-plugin-session && luarocks remove --force lua-resty-session && luarocks install lua-ffi-zlib && luarocks install penlight && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/2.4.5/kong-plugin-session-2.4.5-1.rockspec | tee kong-plugin-session-2.4.5-1.rockspec && luarocks build kong-plugin-session-2.4.5-1.rockspec && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-1.2.3-2.rockspec | tee kong-oidc-1.2.3-2.rockspec | sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^"]+/\1 1.7.4-1/" > kong-oidc-1.2.3-2.rockspec && luarocks build kong-oidc-1.2.3-2.rockspec && TPL=/usr/local/share/lua/5.1/kong/templates/nginx_kong.lua && sed -i "/server_name kong;/a\ \nset_decode_base64 $session_secret ${{X_SESSION_SECRET}};\n" "$TPL" && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \nvariables_hash_max_size 2048;\nlua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\nlua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\nlua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n> if x_session_storage == "shm" then\nlua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n> end\n' "$TPL" && sed -i "/server_name kong;/a\ \n set $session_storage ${{X_SESSION_STORAGE}};\n set $session_name ${{X_SESSION_NAME}};\n set $session_compressor ${{X_SESSION_COMPRESSOR}};\n set $session_memcache_connect_timeout ${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n set $session_memcache_send_timeout ${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n set $session_memcache_read_timeout ${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n set $session_memcache_prefix ${{X_SESSION_MEMCACHE_PREFIX}};\n set $session_memcache_host ${{X_SESSION_MEMCACHE_HOST}};\n set $session_memcache_port ${{X_SESSION_MEMCACHE_PORT}};\n set $session_memcache_uselocking ${{X_SESSION_MEMCACHE_USELOCKING}};\n set $session_memcache_spinlockwait ${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n set $session_memcache_maxlockwait ${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n set $session_memcache_pool_timeout ${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n set $session_memcache_pool_size ${{X_SESSION_MEMCACHE_POOL_SIZE}};\n set $session_dshm_region ${{X_SESSION_DSHM_REGION}};\n set $session_dshm_connect_timeout ${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n set $session_dshm_send_timeout ${{X_SESSION_DSHM_SEND_TIMEOUT}};\n set $session_dshm_read_timeout ${{X_SESSION_DSHM_READ_TIMEOUT}};\n set $session_dshm_host ${{X_SESSION_DSHM_HOST}};\n set $session_dshm_port ${{X_SESSION_DSHM_PORT}};\n set $session_dshm_pool_name ${{X_SESSION_DSHM_POOL_NAME}};\n set $session_dshm_pool_timeout ${{X_SESSION_DSHM_POOL_TIMEOUT}};\n set $session_dshm_pool_size ${{X_SESSION_DSHM_POOL_SIZE}};\n set $session_dshm_pool_backlog ${{X_SESSION_DSHM_POOL_BACKLOG}};\n set $session_shm_store ${{X_SESSION_SHM_STORE}};\n set $session_shm_uselocking ${{X_SESSION_SHM_USELOCKING}};\n set $session_shm_lock_exptime ${{X_SESSION_SHM_LOCK_EXPTIME}};\n set $session_shm_lock_timeout ${{X_SESSION_SHM_LOCK_TIMEOUT}};\n set $session_shm_lock_step ${{X_SESSION_SHM_LOCK_STEP}};\n set $session_shm_lock_ratio ${{X_SESSION_SHM_LOCK_RATIO}};\n set $session_shm_lock_max_step ${{X_SESSION_SHM_LOCK_MAX_STEP}};\n" "$TPL" && TPL=/usr/local/share/lua/5.1/kong/templates/kong_defaults.lua && sed -i "/\]\]/i\ \nx_session_storage = cookie\nx_session_name = oidc_session\nx_session_compressor = 'none'\nx_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\nx_session_memcache_prefix = oidc_sessions\nx_session_memcache_connect_timeout = '1000'\nx_session_memcache_send_timeout = '1000'\nx_session_memcache_read_timeout = '1000'\nx_session_memcache_host = memcached\nx_session_memcache_port = '11211'\nx_session_memcache_uselocking = 'off'\nx_session_memcache_spinlockwait = '150'\nx_session_memcache_maxlockwait = '30'\nx_session_memcache_pool_timeout = '1000'\nx_session_memcache_pool_size = '10'\n\nx_session_dshm_region = oidc_sessions\nx_session_dshm_connect_timeout = '1000'\nx_session_dshm_send_timeout = '1000'\nx_session_dshm_read_timeout = '1000'\nx_session_dshm_host = hazelcast\nx_session_dshm_port = '4321'\nx_session_dshm_pool_name = oidc_sessions\nx_session_dshm_pool_timeout = '1000'\nx_session_dshm_pool_size = '10'\nx_session_dshm_pool_backlog = '10'\n\nx_session_shm_store_size = 5m\nx_session_shm_store = oidc_sessions\nx_session_shm_uselocking = off\nx_session_shm_lock_exptime = '30'\nx_session_shm_lock_timeout = '5'\nx_session_shm_lock_step = '0.001'\nx_session_shm_lock_ratio = '2'\nx_session_shm_lock_max_step = '0.5'\n\nx_oidc_cache_discovery_size = 128k\nx_oidc_cache_jwks_size = 128k\nx_oidc_cache_introspection_size = 128k\n\n" "$TPL" && rm -fr *.rock* && apk del .build-dependencies 2>/dev/null && mkdir -p /usr/local/kong && chown -R kong:`id -gn kong` /usr/local/kong:
#8 0.228 + apk --no-cache add libssl1.1 openssl curl unzip git
#8 0.235 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
#8 1.263 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
#8 3.137 (1/1) Installing curl (7.79.1-r0)
#8 3.324 Executing busybox-1.33.1-r3.trigger
#8 3.329 OK: 66 MiB in 41 packages
#8 3.361 + apk --no-cache add --virtual .build-dependencies make gcc openssl-dev
#8 3.366 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
#8 4.301 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
#8 6.371 (1/12) Installing make (4.3-r0)
#8 6.533 (2/12) Installing binutils (2.35.2-r2)
#8 9.357 (3/12) Installing libgomp (10.3.1_git20210424-r2)
#8 9.541 (4/12) Installing libatomic (10.3.1_git20210424-r2)
#8 9.582 (5/12) Installing libgphobos (10.3.1_git20210424-r2)
#8 11.85 (6/12) Installing gmp (6.2.1-r0)
#8 12.14 (7/12) Installing isl22 (0.22-r0)
#8 12.97 (8/12) Installing mpfr4 (4.1.0-r0)
#8 15.55 (9/12) Installing mpc1 (1.2.1-r0)
#8 15.64 (10/12) Installing gcc (10.3.1_git20210424-r2)
#8 53.86 (11/12) Installing openssl-dev (1.1.1l-r0)
#8 54.19 (12/12) Installing .build-dependencies (20211115.060117)
#8 54.19 Executing busybox-1.33.1-r3.trigger
#8 54.20 OK: 177 MiB in 53 packages
#8 54.23 + curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/1.0.2/lua/dshm.lua
------
executor failed running [/bin/sh -c set -ex && apk --no-cache add libssl1.1 openssl curl unzip git && apk --no-cache add --virtual .build-dependencies make gcc openssl-dev && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua && luarocks remove --force kong-plugin-session && luarocks remove --force lua-resty-session && luarocks install lua-ffi-zlib && luarocks install penlight && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec && luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec && luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec && TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua && sed -i "/server_name kong;/a\ \nset_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \nvariables_hash_max_size 2048;\nlua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\nlua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\nlua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n> if x_session_storage == "shm" then\nlua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n> end\n' "$TPL" && sed -i "/server_name kong;/a\ \n set \$session_storage \${{X_SESSION_STORAGE}};\n set \$session_name \${{X_SESSION_NAME}};\n set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n" "$TPL" && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua && sed -i "/\]\]/i\ \nx_session_storage = cookie\nx_session_name = oidc_session\nx_session_compressor = 'none'\nx_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\nx_session_memcache_prefix = oidc_sessions\nx_session_memcache_connect_timeout = '1000'\nx_session_memcache_send_timeout = '1000'\nx_session_memcache_read_timeout = '1000'\nx_session_memcache_host = memcached\nx_session_memcache_port = '11211'\nx_session_memcache_uselocking = 'off'\nx_session_memcache_spinlockwait = '150'\nx_session_memcache_maxlockwait = '30'\nx_session_memcache_pool_timeout = '1000'\nx_session_memcache_pool_size = '10'\n\nx_session_dshm_region = oidc_sessions\nx_session_dshm_connect_timeout = '1000'\nx_session_dshm_send_timeout = '1000'\nx_session_dshm_read_timeout = '1000'\nx_session_dshm_host = hazelcast\nx_session_dshm_port = '4321'\nx_session_dshm_pool_name = oidc_sessions\nx_session_dshm_pool_timeout = '1000'\nx_session_dshm_pool_size = '10'\nx_session_dshm_pool_backlog = '10'\n\nx_session_shm_store_size = 5m\nx_session_shm_store = oidc_sessions\nx_session_shm_uselocking = off\nx_session_shm_lock_exptime = '30'\nx_session_shm_lock_timeout = '5'\nx_session_shm_lock_step = '0.001'\nx_session_shm_lock_ratio = '2'\nx_session_shm_lock_max_step = '0.5'\n\nx_oidc_cache_discovery_size = 128k\nx_oidc_cache_jwks_size = 128k\nx_oidc_cache_introspection_size = 128k\n\n" "$TPL" && rm -fr *.rock* && apk del .build-dependencies 2>/dev/null && mkdir -p /usr/local/kong && chown -R kong:`id -gn kong` /usr/local/kong]: exit code: 6
I have enabled the OIDC nokia/kong-oidcplugin globally with below for one api's with below configurations
Deployment environment openshift v3.11.51
image:
repository: revomatico/docker-kong-oidc
tag: "2.0.4-1"
Deployed using Helm 3
{
"created_at": 1589024458,
"config": {
"response_type": "code",
"introspection_endpoint": "https://sso:8443/auth/realms/davis/protocol/openid-connect/token/introspect",
"timeout": null,
"redirect_uri": null,
"logout_path": "/logout",
"filters": null,
"disable_access_token_header": "no",
"bearer_only": "yes",
"access_token_header_as_bearer": "yes",
"access_token_header_name": "X-Access-Token",
"disable_id_token_header": "no",
"ssl_verify": "no",
"session_secret": null,
"introspection_endpoint_auth_method": null,
"groups_claim": "groups",
"realm": "davis",
"redirect_after_logout_uri": "/",
"scope": "openid",
"token_endpoint_auth_method": "client_secret_post",
"client_secret": "515b87e1-9a0d-41ca-8e6e-ed7e65d65e59",
"client_id": "kong",
"userinfo_header_name": "X-USERINFO",
"revoke_tokens_on_logout": "no",
"discovery": "https://sso:8443/auth/realms/davis/.well-known/openid-configuration",
"ignore_auth_filters": "",
"disable_userinfo_header": "no",
"id_token_header_name": "X-ID-Token",
"recovery_page_path": null,
"unauth_action": "auth"
},
"id": "de08422d-7497-4b4a-bc38-9f45397b94a3",
"service": null,
"enabled": true,
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"name": "oidc",
"consumer": null,
"route": null,
"tags": null
}
However I am always getting WWW-Authenticate โBearer realm="kong",error="invalid token"
Is there is suggestion to fix the issue
I am going to build an web application to call Kong with kong-oidc to run authorization code grant flow and then access the upstream API. However, There is no login_redirect_uri. Ater running the authorization code grant flow, the request cannot redirect back to the browser but 400 bad request error is resulted.
Will you consider to add the setting login_redirect_uri to solve this problem. Thanks.
I see that there's a bunch of configuration options in the image for memcached, shm, dshm, ... but nothing for Redis - at least not in the docs. How do I use this with Redis?
The #31 needs a fix:
@@ -28,7 +28,7 @@ RUN set -ex \
&& luarocks install penlight \
# Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
&& curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/v${KONG_PLUGIN_OIDC_VER}/kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec | tee kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec | \
- sed -E -e 's/(tag =)[^,]+/\1 "v${KONG_PLUGIN_OIDC_VER}"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \
+ sed -E -e 's/(tag =)[^,]+/\1 '"v${KONG_PLUGIN_OIDC_VER}"'/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \
After that I get the following error:
+ luarocks build kong-oidc-1.2.4-4.rockspec
Error: Could not load rockspec file /kong-oidc-1.2.4-4.rockspec (Error loading file: [string "/kong-oidc-1.2.4-4.rockspec"]:5: malformed number near '.2.4')
Removing intermediate container a95ba560de9c
I stopped searching for a fix and moved back to the latest release.
Regards
Thorsten
Hello, first of all, thank you for all the effort. I'm using this image for a couple of months now. everything works great regarding oidc. but day by day services, routes are increasing and I wanted to enable Kong Manager UI, from what I gathered by kong documentation setting this variable should be enough. But have no luck, accessing the Kong Manager
echo "-e 'KONG_ADMIN_GUI_PATH=/manager' \
'KONG_ADMIN_GUI_URL=http://localhost:8002/manager' \
kong reload exit" | docker exec -i KONG_CONTAINER_ID /bin/sh
Any idea how I can accomplish this using this image?
Thanks again
Hi there,
Can we Integrate django rest api in kong gateway.
Thanks
/kong-oidc-1.2.1-1.rockspec: Mandatory field source is missing. (using rockspec format 1.0)
Hi, I tried using the docker file from here - Dockerfile:2.5.0
The only change I've made is adding
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
(this is base64 for some_base64_string
)kong.yml
_format_version: "1.1"
services:
- connect_timeout: 10000
host: echoserver
name: echoserver
port: 80
protocol: http
read_timeout: 5000
retries: 2
write_timeout: 5000
routes:
- hosts:
- echoserver:80
# id: 9c5c298c-1452-4c65-8d65-dcb1a4b4ea68
# path_handling: v0
# preserve_host: false
protocols:
- http
- https
# regex_priority: 0
# strip_path: true
# https_redirect_status_code: 426
plugins:
- name: oidc
config:
access_token_header_as_bearer: "no"
access_token_header_name: X-Access-Token
bearer_only: "yes"
client_id: someconsumer
client_secret: somesecret
disable_access_token_header: "no"
disable_id_token_header: "no"
disable_userinfo_header: "no"
discovery: http://hydra-service:9000/.well-known/openid-configuration
filters: null
groups_claim: groups
id_token_header_name: X-ID-Token
ignore_auth_filters: ""
introspection_endpoint: http://hydra-service:9001/oauth2/introspect
introspection_endpoint_auth_method: null
logout_path: /logout
realm: kong
recovery_page_path: null
redirect_after_logout_uri: /
redirect_uri: http://example.com
response_type: token
revoke_tokens_on_logout: "no"
scope: openid
session_secret: null
ssl_verify: "no"
timeout: null
token_endpoint_auth_method: client_secret_post
unauth_action: auth
userinfo_header_name: X-USERINFO
enabled: true
protocols:
# - grpc
# - grpcs
- http
- https
The only change I've made to the docker file from master for 2.5.0 is adding
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
(this is base64 for some_base64_string
)Dockerfile
FROM kong/kong:2.5.0
USER root
LABEL authors="Rami Abusereya <[email protected]>,Cristian Chiru <[email protected]>"
ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
LUA_BASE_DIR="/usr/local/share/lua/5.1" \
KONG_OIDC_VER="1.2.3-1" \
LUA_RESTY_OIDC_VER="1.7.4-1" \
KONG_PLUGIN_SESSION_VER="2.4.5" \
NGX_DISTRIBUTED_SHM_VER="1.0.2"
COPY kong.yml /
RUN set -ex \
&& apk --no-cache add \
libssl1.1 \
openssl \
curl \
unzip \
git \
&& apk --no-cache add --virtual .build-dependencies \
make \
gcc \
openssl-dev \
\
## Install plugins
# Download ngx-distributed-shm dshm library
&& curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \
# Remove old lua-resty-session and dependent kong-plugin-session
&& luarocks remove --force kong-plugin-session \
&& luarocks remove --force lua-resty-session \
# Add Pluggable Compressors dependencies
&& luarocks install lua-ffi-zlib \
&& luarocks install penlight \
# Build kong-plugin-session
&& curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
&& luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
# Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
&& curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | \
sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec \
&& luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec \
# Patch nginx_kong.lua for kong-oidc session_secret
&& TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \
# May cause side effects when using another nginx under this kong, unless set to the same value
&& sed -i "/server_name kong;/a\ \n\
set_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" \
# Patch nginx_kong.lua to set dictionaries
&& sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\
variables_hash_max_size 2048;\n\
lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\
lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\
lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
> if x_session_storage == "shm" then\n\
lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
> end\n\
' "$TPL" \
# Patch nginx_kong.lua to add for memcached sessions
&& sed -i "/server_name kong;/a\ \n\
## Session:
set \$session_storage \${{X_SESSION_STORAGE}};\n\
set \$session_name \${{X_SESSION_NAME}};\n\
set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
## Session: Memcached specific
set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
## Session: DHSM specific
set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
## Session: SHM Specific
set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
" "$TPL" \
# Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
# x_session_secret value = some_base64_string
&& TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
&& sed -i "/\]\]/i\ \n\
x_session_storage = cookie\n\
x_session_name = oidc_session\n\
x_session_compressor = 'none'\n\
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
\n\
x_session_memcache_prefix = oidc_sessions\n\
x_session_memcache_connect_timeout = '1000'\n\
x_session_memcache_send_timeout = '1000'\n\
x_session_memcache_read_timeout = '1000'\n\
x_session_memcache_host = memcached\n\
x_session_memcache_port = '11211'\n\
x_session_memcache_uselocking = 'off'\n\
x_session_memcache_spinlockwait = '150'\n\
x_session_memcache_maxlockwait = '30'\n\
x_session_memcache_pool_timeout = '1000'\n\
x_session_memcache_pool_size = '10'\n\
\n\
x_session_dshm_region = oidc_sessions\n\
x_session_dshm_connect_timeout = '1000'\n\
x_session_dshm_send_timeout = '1000'\n\
x_session_dshm_read_timeout = '1000'\n\
x_session_dshm_host = hazelcast\n\
x_session_dshm_port = '4321'\n\
x_session_dshm_pool_name = oidc_sessions\n\
x_session_dshm_pool_timeout = '1000'\n\
x_session_dshm_pool_size = '10'\n\
x_session_dshm_pool_backlog = '10'\n\
\n\
x_session_shm_store_size = 5m\n\
x_session_shm_store = oidc_sessions\n\
x_session_shm_uselocking = off\n\
x_session_shm_lock_exptime = '30'\n\
x_session_shm_lock_timeout = '5'\n\
x_session_shm_lock_step = '0.001'\n\
x_session_shm_lock_ratio = '2'\n\
x_session_shm_lock_max_step = '0.5'\n\
\n\
x_oidc_cache_discovery_size = 128k\n\
x_oidc_cache_jwks_size = 128k\n\
x_oidc_cache_introspection_size = 128k\n\
\n\
" "$TPL" \
## Cleanup
&& rm -fr *.rock* \
&& apk del .build-dependencies 2>/dev/null \
## Create kong and working directory (https://github.com/Kong/kong/issues/2690)
&& mkdir -p /usr/local/kong \
&& chown -R kong:`id -gn kong` /usr/local/kong
USER kong
Build this image via docker build -t kong-dbless .
Now I run this with a simple yml for kubernetes
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong
labels:
app: kong
spec:
replicas: 1
selector:
matchLabels:
app: kong
template:
metadata:
labels:
app: kong
spec:
containers:
- name: kong
image: kong-dbless:latest
imagePullPolicy: Never
ports:
- containerPort: 8000
- containerPort: 8001
- containerPort: 8443
- containerPort: 8444
env:
- name: KONG_DATABASE
value: "off"
- name: KONG_DECLARATIVE_CONFIG
value: kong.yml
- name: KONG_PLUGINS
value: "bundled,oidc"
- name: KONG_X_SESSION_SECRET
value: c29tZV9iYXNlNjRfc3RyaW5n
- name: KONG_X_SESSION_NAME
value: oidc_session
---
# Service
apiVersion: v1
kind: Service
metadata:
name: kong-service
spec:
selector:
app: kong
ports:
- protocol: TCP
port: 8000
targetPort: 8000
name: publicapi
- protocol: TCP
port: 8001
targetPort: 8001
name: adminapi
- protocol: TCP
port: 8443
targetPort: 8443
name: securepublicapi
- protocol: TCP
port: 8444
targetPort: 8444
name: secureadminapi
Logs give me.
2021/08/18 15:02:56 [warn] 1#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
2021/08/18 15:02:57 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
- in entry 1 of 'services':
in 'plugins':
- in entry 1 of 'plugins':
in 'config':
in 'access_token_header_as_bearer': unknown field
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
- in entry 1 of 'services':
in 'plugins':
- in entry 1 of 'plugins':
in 'config':
in 'access_token_header_as_bearer': unknown field
stack traceback:
[C]: in function 'error'
/usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
init_by_lua:3: in main chunk
Which, based on this seems to me that the plugin is not installed.
For example, if I try to override the value of x_session_memcache_port by setting the env var KONG_X_SESSION_MEMCACHE_PORT=8778
Kong init fails with the following error:
2021/03/09 15:46:17 [debug] 1#0: [lua] globalpatches.lua:10: installing the globalpatches
2021/03/09 15:46:17 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:440: x_session_memcache_port is not a string: '8778'
stack traceback:
[C]: in function 'assert'
/usr/local/share/lua/5.1/kong/init.lua:440: in function 'init'
init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:440: x_session_memcache_port is not a string: '8778'
stack traceback:
[C]: in function 'assert'
/usr/local/share/lua/5.1/kong/init.lua:440: in function 'init'
init_by_lua:3: in main chunk
I got the same error as in this comment: 33
Could @cristichiru take a look? Thank you!
Hello,
Thank you for the work on this plugin / project. It would be great to have more detailed documentation on the settings for Auth, Implicit and Hybrid flows. So far, I can only use the Kong Konnect documentation and I'm not sure this plugin works exactly the same.
I got this error when build and run the docker image using the included Dockerfile
Here's the stacktrace:
kong-gateway | nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/tools/utils.lua:701: error loading module 'kong.plugins.oidc.handler':
kong-gateway | /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: module 'kong.plugins.base_plugin' not found:No LuaRocks module found for kong.plugins.base_plugin
kong-gateway | no field package.preload['kong.plugins.base_plugin']
kong-gateway | no file './kong/plugins/base_plugin.lua'
kong-gateway | no file './kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.ljbc'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin/init.ljbc'
kong-gateway | no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.ljbc'
kong-gateway | no file '/usr/local/openresty/lualib/kong/plugins/base_plugin/init.ljbc'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.lua'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.lua'
kong-gateway | no file '/usr/local/openresty/lualib/kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/kong/plugins/base_plugin.lua'
kong-gateway | no file '/usr/local/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway | no file '/usr/local/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway | no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/root/.luarocks/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway | no file '/root/.luarocks/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.so'
kong-gateway | no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.so'
kong-gateway | no file './kong/plugins/base_plugin.so'
kong-gateway | no file '/usr/local/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway | no file '/usr/local/openresty/luajit/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway | no file '/usr/local/lib/lua/5.1/loadall.so'
kong-gateway | no file '/root/.luarocks/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway | no file '/usr/local/openresty/site/lualib/kong.so'
kong-gateway | no file '/usr/local/openresty/lualib/kong.so'
kong-gateway | no file './kong.so'
kong-gateway | no file '/usr/local/lib/lua/5.1/kong.so'
kong-gateway | no file '/usr/local/openresty/luajit/lib/lua/5.1/kong.so'
kong-gateway | no file '/usr/local/lib/lua/5.1/loadall.so'
kong-gateway | no file '/root/.luarocks/lib/lua/5.1/kong.so'
kong-gateway | stack traceback:
kong-gateway | [C]: in function 'require'
kong-gateway | /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: in main chunk
kong-gateway | [C]: at 0xffffa21e90a8
kong-gateway | [C]: in function 'xpcall'
kong-gateway | /usr/local/share/lua/5.1/kong/tools/utils.lua:692: in function 'load_module_if_exists'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas'
kong-gateway | /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init'
kong-gateway | init_by_lua:3: in main chunk
kong-gateway | stack traceback:
kong-gateway | [C]: in function 'error'
kong-gateway | /usr/local/share/lua/5.1/kong/tools/utils.lua:701: in function 'load_module_if_exists'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin'
kong-gateway | /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas'
kong-gateway | /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init'
kong-gateway | init_by_lua:3: in main chunk
kong-gateway exited with code 1
docker-compose.yml:
version: '3'
services:
kong-database:
image: postgres:9.6
container_name: kong-database
restart: always
networks:
- kong-net
environment:
- POSTGRES_DB=kong
- POSTGRES_USER=kong
- POSTGRES_PASSWORD=kongpass
ports:
- 5432:5432
volumes:
- "./postgres/database:/var/lib/postgresql/data"
healthcheck:
test: ["CMD", "pg_isready", "-U", "kong"]
interval: 5s
timeout: 5s
retries: 5
kong-migrations:
# image: kong/kong-gateway:3.0.0.0-alpine
image: kong-oidc
container_name: kong-migrations
restart: on-failure
command: kong migrations bootstrap -v
networks:
- kong-net
environment:
- KONG_PG_HOST=kong-database
- KONG_DATABASE=postgres
- KONG_PG_USER=kong
- KONG_PG_PASSWORD=kongpass
- KONG_PLUGINS=bundled,oidc
depends_on:
kong-database:
condition: service_healthy
kong-gateway:
# image: kong/kong-gateway:3.0.0.0-alpine
image: kong-oidc
container_name: kong-gateway
user: root
restart: on-failure
networks:
- kong-net
environment:
- LC_CTYPE=en_US.UTF-8
- LC_ALL=en_US.UTF-8
- KONG_DATABASE=postgres
- KONG_PG_HOST=kong-database
- KONG_PG_USER=kong
- KONG_PG_PASSWORD=kongpass
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl
- KONG_ADMIN_GUI_URL=http://localhost:8002
- KONG_PLUGINS=bundled,oidc
ports:
- 8000:8000
- 8443:8443
- 8001:8001
- 8444:8444
- 8002:8002
- 8445:8445
- 8003:8003
- 8004:8004
depends_on:
kong-migrations:
condition: service_started
konga:
image: pantsel/konga
container_name: konga
networks:
- kong-net
ports:
- 1337:1337
environment:
- DB_ADAPTER=postgres
- DB_HOST=kong-database
- DB_PORT=5432
- DB_DATABASE=kong
- DB_USER=kong
- DB_PASSWORD=kongpass
# - NODE_ENV=production
- NODE_ENV=development
depends_on:
kong-database:
condition: service_healthy
keycloak:
image: quay.io/keycloak/keycloak:19.0.1
container_name: keycloak
command: start-dev
networks:
- kong-net
ports:
- 8080:8080
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
- KEYCLOAK_LOGLEVEL=ALL
volumes:
postgres:
driver: local
networks:
kong-net:
driver: bridge
Hi,
Summary
I have deployed the kong with oidc container v2.3.3-1 (https://github.com/revomatico/docker-kong-oidc/releases/tag/2.3.3-1) on the kubernetes in AWS. I have to integrate the keycloak with this kong. But after doing all the configuration in keycloak and creating the kong plugin entity using YAML, the request to microservice is bypassing the oidc plugin and I can directly access the service from ingress.
Steps To reproduce
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
labels:
global: "true"
metadata:
name: oidc
namespace: kong
config:
client_id: kong_api_access
client_secret: 093c6dd1-XXXX-XXXX-XXXX-XXXXXXXXXXXX
scope: openid
realm: kong
discovery: http://keycloak.abc.com/auth/realms/kong/.well-known/openid-configuration
introspection_endpoint: http://keycloak.abc.com/auth/realms/kong/protocol/openid-connect/token/introspect
plugin: oidc
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: echo
annotations:
plugins.konghq.com: oidc
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /echo
backend:
serviceName: echo
servicePort: 80
Additional Information
curl -s --insecure https://127.0.0.1:8444/plugins/enabled
{"enabled_plugins":["grpc-web","correlation-id","pre-function","cors","rate-limiting","loggly","hmac-auth","zipkin","request-size-limiting","azure-functions","request-transformer","oauth2","response-transformer","ip-restriction","statsd","jwt","proxy-cache","basic-auth","key-auth","http-log","oidc","session","datadog","tcp-log","prometheus","post-function","ldap-auth","acl","grpc-gateway","file-log","syslog","udp-log","response-ratelimiting","aws-lambda","bot-detection","acme","request-termination"]}
Hi, I already set the environment variable KONG_X_SESSION_COMPRESSOR=zlib
in my docker-compose.yml
, but the cookies are still same size, more than 5000 bytes. Are there any other parameters I need to set?
This is my docker-compose.yml
version: '3.4'
networks:
kong-net:
volumes:
kong-datastore:
services:
kong-db:
image: postgres:9.6
volumes:
- kong-datastore:/var/lib/postgresql/data
networks:
- kong-net
ports:
- "5432:5432"
environment:
POSTGRES_DB: kong
POSTGRES_USER: kong
POSTGRES_PASSWORD: kong
kong:
image: revomatico/docker-kong-oidc:2.3.3-1
volumes:
- /data/solution/docker/kong/nginx_kong.lua:/usr/local/share/lua/5.1/kong/templates/nginx_kong.lua
- /data/solution/www:/var/www/
depends_on:
- kong-db
networks:
- kong-net
extra_hosts:
- "sg.digitalgd.com.cn:172.16.0.3"
- "ywpt.digitalgd.com.cn:172.16.16.43"
ports:
- "38000:8000" # Listener
- "38001:8001" # Admin API
- "38443:8443" # Listener (SSL)
- "38444:8444" # Admin API (SSL)
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-db
KONG_PG_PORT: 5432
KONG_PG_DATABASE: kong
KONG_PG_USER: kong
KONG_PG_PASSWORD: kong
KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 ssl
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
KONG_PLUGINS: bundled,oidc
KONG_X_SESSION_COMPRESSOR: zlib
After upgrading the kong to 2.6.0 and kong ingress controller to 2.0.5 and 2.0.6, the ingress controller is giving the following error:
time="2021-12-07T09:28:24Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=default subsystem=proxy-cache-resolver time="2021-12-07T09:28:27Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=apps subsystem=proxy-cache-resolver time="2021-12-07T09:28:27Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=default subsystem=proxy-cache-resolver
The configuration for the OIDC plugin is:
apiVersion: configuration.konghq.com/v1 config: client_id: test client_secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx discovery: https://keycloak.abc.com/auth/realms/xxxx/.well-known/openid-configuration introspection_endpoint: https://keycloak.abc.com/auth/realms/xxxx/protocol/openid-connect/token/introspect realm: test scope: openid kind: KongClusterPlugin metadata: name: oidc plugin: oidc
The env variable set in of kong:
KONG_PLUGINS: bundled,oidc
Please suggest whats wrong here
Dear all,
we initially planned to use the https://github.com/nokia/kong-oidc plugin, but it seems to be outdated. Not sure if it even would work with Kong 2.0
? What was the reason for your fork if I may ask?
I installed now your plugin https://github.com/revomatico/kong-oidc simply via luarocks
in the original Kong
docker image and enabled it with:
KONG_PLUGINS=bundled,oidc
I do see it in Konga
and try to enable and settling it up on a single route for testing
However I'm wondering: you created this custom Docker image here docker-kong-oidc
. Do we need all steps/installations in your Dockerfile to make this plugin work? It seems to be a quite a lot of modifications to the original Kong image. Or are these simply some custom modifications that you need for yourself?
thanks a lot in advance
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.