Coder Social home page Coder Social logo

docker-kong-oidc's People

Contributors

cr1cr1 avatar hanlaur avatar mmadoo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

jerfer alexharper pretty-bull ropi95 justmine66 yang-xiaodong statby timogriese danny-idc alexf4dev creslinux syntox32 narate vvavepacket shanesoh kiddingmu nagra-insight hanlaur avinashpandit starefossen tuananh tuonghv erdemakyildiz 0jinny saroha87 peeraj gln-gln iqz-systems hungcode yangboyd dcbrainorg diep-it-dn thg-harveynash raviverma-ai murilogomesflp nashtech-vietvuhoang1 arunksalian anmolsha-te initanmol salahberiani acarbonel-coexya agm650

docker-kong-oidc's Issues

docker build failed

docker-kong-oidc version:2.6.0-2
when i do cmd:

docker build -t mykong:v1 .

image

by the way, i do that command in arm computer.

docker-kong-oidx image used with POSTGRES: unable to start

Hello all,

I am desperately trying to use the image with POSTGRES. Here is my docker-compose:

kong:
    image: docker-kong-oidc:2.3.3-2
    user: "${KONG_USER:-kong}"
    depends_on:
      - kong-db
    environment:
      - KONG_LOG_LEVEL=info
      - KONG_ADMIN_ACCESS_LOG=/dev/stdout
      - KONG_ADMIN_ERROR_LOG=/dev/stderr
      - KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout
      - KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr
      - KONG_PORTAL_API_ACCESS_LOG=/dev/stdout
      - KONG_PORTAL_API_ERROR_LOG=/dev/stderr
      - KONG_PROXY_ACCESS_LOG=/dev/stdout
      - KONG_PROXY_ERROR_LOG=/dev/stderr
      - KONG_ANONYMOUS_REPORTS=false
      - KONG_CLUSTER_LISTEN=off
      - 'KONG_LUA_PACKAGE_PATH=/opt/?.lua;/opt/?/init.lua;;'
      - KONG_NGINX_WORKER_PROCESSES=1
      - 'KONG_PLUGINS=bundled,oidc'
      - 'KONG_ADMIN_LISTEN=0.0.0.0:8001'
      - 'KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 http2 ssl'
      - 'KONG_STATUS_LISTEN=0.0.0.0:8100'
      - KONG_NGINX_DAEMON=off
      - 'KONG_X_SESSION_MEMCACHE_PORT=''1234'''
      - KONG_X_SESSION_COMPRESSOR=zlib
      - KONG_DATABASE=postgres
      - KONG_PG_DATABASE=${KONG_PG_DATABASE:-kong}
      - KONG_PG_HOST=kong-db
      - KONG_PG_USER=${KONG_PG_USER:-kong}
      - KONG_PG_PASSWORD_FILE=/run/secrets/kong_postgres_password
    secrets:
      - kong_postgres_password
    networks:
      - kong-net
    ports:
      - "8000:8000/tcp"
      - "127.0.0.1:8001:8001/tcp"
      - "8443:8443/tcp"
      - "127.0.0.1:8444:8444/tcp"
    healthcheck:
      test: ["CMD", "kong", "health"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: on-failure
    deploy:
      restart_policy:
        condition: on-failure

And there is the output I got from my kong-idc container on start:

kong_1                | 2021/04/09 14:42:49 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: New migrations available; run 'kong migrations up' to proceed
kong_1                | stack traceback:
kong_1                |         [C]: in function 'error'
kong_1                |         /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: in function 'check_state'
kong_1                |         /usr/local/share/lua/5.1/kong/init.lua:456: in function 'init'
kong_1                |         init_by_lua:3: in main chunk
kong_1                | nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: New migrations available; run 'kong migrations up' to proceed
kong_1                | stack traceback:
kong_1                |         [C]: in function 'error'
kong_1                |         /usr/local/share/lua/5.1/kong/cmd/utils/migrations.lua:20: in function 'check_state'
kong_1                |         /usr/local/share/lua/5.1/kong/init.lua:456: in function 'init'
kong_1                |         init_by_lua:3: in main chunk
compose_kong_1 exited with code 1

I tried to use the image in db-less mode and it's work fine.

I also have in my docker-compose.yml services for migrations:

kong-migrations:
    image: "${KONG_DOCKER_TAG:-kong:latest}"
    command: kong migrations bootstrap
    depends_on:
      - kong-db
    environment:
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
      KONG_PG_HOST: kong-db
      KONG_PG_USER: ${KONG_PG_USER:-kong}
      KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
    secrets:
      - kong_postgres_password
    networks:
      - kong-net
    restart: on-failure
    deploy:
      restart_policy:
        condition: on-failure

  kong-migrations-up:
    image: "${KONG_DOCKER_TAG:-kong:latest}"
    command: kong migrations up && kong migrations finish
    depends_on:
      - kong-db
    environment:
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
      KONG_PG_HOST: kong-db
      KONG_PG_USER: ${KONG_PG_USER:-kong}
      KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
    secrets:
      - kong_postgres_password
    networks:
      - kong-net
    restart: on-failure
    deploy:
      restart_policy:
        condition: on-failure

I have cleaned my POSTGRES volume and down/up many times, but I still got the same results.

I would also like to point out that using the standard version of Kong works fine:

image: "${KONG_DOCKER_TAG:-kong:latest}"
    user: "${KONG_USER:-kong}"
    depends_on:
      - kong-db
    environment:
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
      KONG_PG_HOST: kong-db
      KONG_PG_USER: ${KONG_PG_USER:-kong}
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
    secrets:
      - kong_postgres_password
    networks:
      - kong-net
    ports:
      - "8000:8000/tcp"
      - "127.0.0.1:8001:8001/tcp"
      - "8443:8443/tcp"
      - "127.0.0.1:8444:8444/tcp"
    healthcheck:
      test: ["CMD", "kong", "health"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: on-failure
    deploy:
      restart_policy:
        condition: on-failure

Thanks for your help

The session is valid for multiple realms, how to avoid that?

I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.

I've setup kong routes aligning with two keycloak realms like so:

/realm1/app/
/realm2/app/

Each realm has it's own OIDC client with unique keys/ name /client secret. I then add the related kong-oidc to each route.

Accessing /realm1/app I'm redirected properly to the realm1 login, and similarly for realm2. However, if I'm logged into realm1 with an active session, I can still access /realm2/app. Looking at the app logs, the active session when accessing realm2 is still for realm1.

Am I missing some crucial setting?

Unable to upgrade from 3.1.0 to 3.2.1.0

Hi Team,

My existing Kong installation is done using the helm chart kong/kong v2.16.5, along with the docker-kong-oidc:3.1.1 image.

I tried to do a helm upgrade with the new 3.2.1 image and I found out that the base image for docker-kong-oidc has been upgraded from kong/kong:3.1.1-alpine to kong/kong-gateway:3.2.1.0-alpine. This has led to my existing Kong deployment to fail. I tried to connect to the admin endpoint and I get the following error:

Error: reading Kong version: making HTTP request: Get "https://kong-kong-admin.<namespace>:8444/": connection error: COMPRESSION_ERROR

Any reason behind this change of base image from kong/kong to kong/kong-gateway?

Thanks!

K8s pods hang for several hours when KONG-PLUGINS=bundle,oidc,kong-http-to-https-redirect

Hello, thanks for taking the time to put this together. I am unable to get kong pods to startup when I introduce multiple custom plugins. (KONG-PLUGINS=bundle,oidc,kong-http-to-https-redirect)

Firstly, I followed this tutorial by extending kong:1.0.3-centos Dockerfile and things looked great until I introduce those custom plugins in the settings. I played around with them and noticed the following:

  • When I removed that setting, that is complete remove KONG-PLUGINS setting, kong starts up after a few seconds and I can see all other plugins
  • Using KONG-PLUGINS=oidc, all other plugins disappear except the openid connect plugin.
    Then I decided to try your docker file to see if there was something out of the ordinary with mine, to no avail.

Here are my system specs:

- Kubernetes 1.13.3 
- Kubespray offering on baremetal
- Kong version 1.0.3
- All nodes run centos7 kernel version 4.20
- Docker 18.09

kong-kong-7b769fd584-2f7mr               0/1     Init:0/1    0          6h31m
kong-kong-7b769fd584-cf9wz               0/1     Init:0/1    0          6h31m
kong-kong-init-migrations-f827m          0/1     Completed   0          6h31m
kong-kong-pre-upgrade-migrations-7cx2p   0/1     Completed   0          7h11m

Any help would be highly appreciated.
Thanks

Facing oidc plugins issue

We trying oidc plugins through kong fill some configuration like client id client secrets discovery etc
Aftr applying plugins, hit api url which is under the plugin they show no authorization header found
Can any help us out your guidance is more helpful for me

Thanks in advance

"/usr/local/kong" -- Permission Denied

With v2.0.5-3, the directory "/usr/local/kong" gives a permission denied error when the container is used in a Kubernetes cluster. Checking (and changing) the permissions of that directory resolved the problem with containers not staring in Kubernetes.

kong-revomatico oidc plugin is not able to connect keycloak as IDP

Hi Team,

Kong revomatico oidc plugin is not able to resolve the discovery url for keycloak.
I have deployed kong revomatico oidc plugin and keycloak in kubernetes cluster.

configuration.

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: oidc
#namespace: core
config:
client_id: ${oidc_client_id}
client_secret: ${oidc_client_secret}
scope: openid
realm: kong
discovery: http://keycloak-discovery.core.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration
plugin: oidc

issue:

accessing discovery url (http://keycloak-discovery.core.svc.cluster.local:8080/auth/realms/SCORE_DEV/protocol/openid-connect/auth) failed: [cosocket] DNS resolution failed: dns server error: 3 name error.

openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found. KONG_X_SESSION_SECRET's been set.

Got this error when redirected back after successfully logged in from Keycloak.

openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: kong, request: "GET /cb?state=8c3eae03d96abf7ce7b9f91d0229fce2&session_state=0a7a489c-b5ba-4aeb-8f6b-52dc7481b596&code=d4eba5ac-ab77-4b5a-b7f4-b18efd9ac708.0a7a489c-b5ba-4aeb-8f6b-52dc7481b596.18885a48-8ea5-4d78-8eae-9fc2478fb0e5 HTTP/1.1", host: "localhost:18000"

OP: Keycloak.

-e KONG_X_SESSION_SECRET=Q211IzIwMTc=
-e KONG_X_SESSION_NAME=oidc_session \

kong-oidc session_secret set to Q211IzIwMTc=

Bad URL when downloading kong-oidc-<version>.rockspec from revomatico/kong

Hello!

The problem is that in the Dockerfile from every version, the url that uses kong-oidc-<version>.rockspec is pointing towards revomatico/kong-oidc master branch, causing download failures.

For example: (revomatico/docker-kong-oidc version 2.4.1-1 -> KONG_OIDC_VER=1.2.3-1)
Dockerfile: https://raw.githubusercontent.com/revomatico/docker-kong-oidc/2.4.1-1/Dockerfile

In the line 39, it tries to download from this URL:
https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec
This URL will transform with the env-var substitution into:
https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-1.2.3-1.rockspec

The issue is that, on the master branch of revomatico/kong-oidc, there is no kong-oidc-1.2.3-1.rockspec, because it has been updated and now is kong-oidc-1.2.3-2.rockspec

The solution will be to modify every dockerfile to point to the correct url of the revomatico/kong-oidc version. In this case, the correct url would be:
https://raw.githubusercontent.com/revomatico/kong-oidc/v${KONG_OIDC_VER}/kong-oidc-${KONG_OIDC_VER}.rockspec

Hope it helps!

Documentation

Hi, is there documentation that I can refer to for a proper setup and usage?

is client_credentials flow supported?

Hello Team,
I was trying to implement the service to service call via plugin authentication.
I expect the plugin will use client_credential grant flow and get me a bearer token which I will use to call the required service. There should not be any user interaction in authentication process. It should be with client id & secret only.

Do you know if plugin supports this behaviour? If yes, can you please help me configure it?

rockspec gives a 404

Hi,

When I try to use build.sh I get a 404 in curl, then build fails, as the following file does not exist.

https://raw.githubusercontent.com/Revomatico/kong-oidc/master/kong-oidc-1.1.0-1.rockspec

Getting exit code 6 since last 3-4 days

Here's the docker file that I'm running. (Only difference should be the kong.yml COPY command and the session_secret.

FROM kong/kong:2.5.1

USER root

LABEL authors="Rami Abusereya <[email protected]>,Cristian Chiru <[email protected]>"

ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
    LUA_BASE_DIR="/usr/local/share/lua/5.1" \
    KONG_OIDC_VER="1.2.3-2" \
    LUA_RESTY_OIDC_VER="1.7.4-1" \
    KONG_PLUGIN_SESSION_VER="2.4.5" \
    NGX_DISTRIBUTED_SHM_VER="1.0.2"

COPY kong.yml /

RUN set -ex \
  && apk --no-cache add \
    libssl1.1 \
    openssl \
    curl \
    unzip \
    git \
  && apk --no-cache add --virtual .build-dependencies \
    make \
    gcc \
    openssl-dev \
  \
## Install plugins
 # Download ngx-distributed-shm dshm library
    && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \
 # Remove old lua-resty-session and dependent kong-plugin-session
    && luarocks remove --force kong-plugin-session \
    && luarocks remove --force lua-resty-session \
 # Add Pluggable Compressors dependencies
    && luarocks install lua-ffi-zlib \
    && luarocks install penlight \
 # Build kong-plugin-session
    && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
    && luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
 # Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
    && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | \
        sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec \
    && luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec \
 # Patch nginx_kong.lua for kong-oidc session_secret
    && TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \
    # May cause side effects when using another nginx under this kong, unless set to the same value
    && sed -i "/server_name kong;/a\ \n\
set_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" \
 # Patch nginx_kong.lua to set dictionaries
    && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\
variables_hash_max_size 2048;\n\
lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\
lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\
lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
> if x_session_storage == "shm" then\n\
lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
> end\n\
' "$TPL" \
 # Patch nginx_kong.lua to add for memcached sessions
    && sed -i "/server_name kong;/a\ \n\
    ## Session:
    set \$session_storage \${{X_SESSION_STORAGE}};\n\
    set \$session_name \${{X_SESSION_NAME}};\n\
    set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
    ## Session: Memcached specific
    set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
    set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
    set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
    set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
    set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
    set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
    set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
    set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
    set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
    set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
    set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
    ## Session: DHSM specific
    set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
    set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
    set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
    set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
    set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
    set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
    set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
    set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
    set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
    set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
    ## Session: SHM Specific
    set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
    set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
    set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
    set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
    set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
    set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
    set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
" "$TPL" \
 # Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
    && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
    && sed -i "/\]\]/i\ \n\
x_session_storage = cookie\n\
x_session_name = oidc_session\n\
x_session_compressor = 'none'\n\
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
\n\
x_session_memcache_prefix = oidc_sessions\n\
x_session_memcache_connect_timeout = '1000'\n\
x_session_memcache_send_timeout = '1000'\n\
x_session_memcache_read_timeout = '1000'\n\
x_session_memcache_host = memcached\n\
x_session_memcache_port = '11211'\n\
x_session_memcache_uselocking = 'off'\n\
x_session_memcache_spinlockwait = '150'\n\
x_session_memcache_maxlockwait = '30'\n\
x_session_memcache_pool_timeout = '1000'\n\
x_session_memcache_pool_size = '10'\n\
\n\
x_session_dshm_region = oidc_sessions\n\
x_session_dshm_connect_timeout = '1000'\n\
x_session_dshm_send_timeout = '1000'\n\
x_session_dshm_read_timeout = '1000'\n\
x_session_dshm_host = hazelcast\n\
x_session_dshm_port = '4321'\n\
x_session_dshm_pool_name = oidc_sessions\n\
x_session_dshm_pool_timeout = '1000'\n\
x_session_dshm_pool_size = '10'\n\
x_session_dshm_pool_backlog = '10'\n\
\n\
x_session_shm_store_size = 5m\n\
x_session_shm_store = oidc_sessions\n\
x_session_shm_uselocking = off\n\
x_session_shm_lock_exptime = '30'\n\
x_session_shm_lock_timeout = '5'\n\
x_session_shm_lock_step = '0.001'\n\
x_session_shm_lock_ratio = '2'\n\
x_session_shm_lock_max_step = '0.5'\n\
\n\
x_oidc_cache_discovery_size = 128k\n\
x_oidc_cache_jwks_size = 128k\n\
x_oidc_cache_introspection_size = 128k\n\
\n\
" "$TPL" \
## Cleanup
    && rm -fr *.rock* \
    && apk del .build-dependencies 2>/dev/null \
## Create kong and working directory (https://github.com/Kong/kong/issues/2690)
    && mkdir -p /usr/local/kong \
    && chown -R kong:`id -gn kong` /usr/local/kong
USER kong

And the associated kong.yml is

_format_version: "1.1"
services:
- connect_timeout: 10000
  host: echoserver
  name: echoserver
  port: 80
  protocol: http
  read_timeout: 5000
  retries: 2
  write_timeout: 5000
  routes:
  - hosts:
    - echoserver:80
    # id: 9c5c298c-1452-4c65-8d65-dcb1a4b4ea68
    # path_handling: v0
    # preserve_host: false
    protocols:
    - http
    - https
    # regex_priority: 0
    # strip_path: true
    # https_redirect_status_code: 426
  plugins:
  - name: oidc
    config:
      #access_token_header_as_bearer: "no"
      access_token_header_name: X-Access-Token
      bearer_only: "yes"
      client_id: someconsumer
      client_secret: somesecret
      disable_access_token_header: "no"
      disable_id_token_header: "no"
      disable_userinfo_header: "no"
      discovery: http://hydra-service:9000/.well-known/openid-configuration
      filters: null
      groups_claim: groups
      id_token_header_name: X-ID-Token
      ignore_auth_filters: ""
      introspection_endpoint: http://hydra-service:9001/oauth2/introspect
      introspection_endpoint_auth_method: null
      logout_path: /logout
      realm: kong
      recovery_page_path: null
      redirect_after_logout_uri: /
      redirect_uri: http://example.com
      response_type: token
      revoke_tokens_on_logout: "no"
      scope: openid
      session_secret: null
      ssl_verify: "no"
      timeout: null
      token_endpoint_auth_method: client_secret_post
      unauth_action: auth
      userinfo_header_name: X-USERINFO
    enabled: true
    protocols:
    # - grpc
    # - grpcs
    - http
    - https

And here's the log for what I get on trying to build this.

docker build -t kong-dbless kong-oidc/

[+] Building 76.6s (8/8) FINISHED
 => [internal] load build definition from Dockerfile                                                                            0.0s
 => => transferring dockerfile: 38B                                                                                             0.0s
 => [internal] load .dockerignore                                                                                               0.0s
 => => transferring context: 2B                                                                                                 0.0s
 => [internal] load metadata for docker.io/kong/kong:2.5.1                                                                     17.0s
 => [auth] kong/kong:pull token for registry-1.docker.io                                                                        0.0s
 => [internal] load build context                                                                                               0.0s
 => => transferring context: 30B                                                                                                0.0s
 => [1/3] FROM docker.io/kong/kong:2.5.1@sha256:6f1ade744464ee261cc087dc63c89b47d9121111b8902f9ebbad499d2585dd15                0.0s
 => CACHED [2/3] COPY kong.yml /                                                                                                0.0s
 => ERROR [3/3] RUN set -ex   && apk --no-cache add     libssl1.1     openssl     curl     unzip     git   && apk --no-cache   59.4s
------
 > [3/3] RUN set -ex   && apk --no-cache add     libssl1.1     openssl     curl     unzip     git   && apk --no-cache add --virtual .build-dependencies     make     gcc     openssl-dev       && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/1.0.2/lua/dshm.lua > /usr/local/share/lua/5.1/resty/dshm.lua     && luarocks remove --force kong-plugin-session     && luarocks remove --force lua-resty-session     && luarocks install lua-ffi-zlib     && luarocks install penlight     && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/2.4.5/kong-plugin-session-2.4.5-1.rockspec | tee kong-plugin-session-2.4.5-1.rockspec     && luarocks build kong-plugin-session-2.4.5-1.rockspec     && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-1.2.3-2.rockspec | tee kong-oidc-1.2.3-2.rockspec |         sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^"]+/\1 1.7.4-1/" > kong-oidc-1.2.3-2.rockspec     && luarocks build kong-oidc-1.2.3-2.rockspec     && TPL=/usr/local/share/lua/5.1/kong/templates/nginx_kong.lua     && sed -i "/server_name kong;/a\ \nset_decode_base64 $session_secret ${{X_SESSION_SECRET}};\n" "$TPL"     && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \nvariables_hash_max_size 2048;\nlua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\nlua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\nlua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n> if x_session_storage == "shm" then\nlua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n> end\n' "$TPL"     && sed -i "/server_name kong;/a\ \n    set $session_storage ${{X_SESSION_STORAGE}};\n    set $session_name ${{X_SESSION_NAME}};\n    set $session_compressor ${{X_SESSION_COMPRESSOR}};\n    set $session_memcache_connect_timeout ${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n    set $session_memcache_send_timeout ${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n    set $session_memcache_read_timeout ${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n    set $session_memcache_prefix ${{X_SESSION_MEMCACHE_PREFIX}};\n    set $session_memcache_host ${{X_SESSION_MEMCACHE_HOST}};\n    set $session_memcache_port ${{X_SESSION_MEMCACHE_PORT}};\n    set $session_memcache_uselocking ${{X_SESSION_MEMCACHE_USELOCKING}};\n    set $session_memcache_spinlockwait ${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n    set $session_memcache_maxlockwait ${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n    set $session_memcache_pool_timeout ${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n    set $session_memcache_pool_size ${{X_SESSION_MEMCACHE_POOL_SIZE}};\n    set $session_dshm_region ${{X_SESSION_DSHM_REGION}};\n    set $session_dshm_connect_timeout ${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n    set $session_dshm_send_timeout ${{X_SESSION_DSHM_SEND_TIMEOUT}};\n    set $session_dshm_read_timeout ${{X_SESSION_DSHM_READ_TIMEOUT}};\n    set $session_dshm_host ${{X_SESSION_DSHM_HOST}};\n    set $session_dshm_port ${{X_SESSION_DSHM_PORT}};\n    set $session_dshm_pool_name ${{X_SESSION_DSHM_POOL_NAME}};\n    set $session_dshm_pool_timeout ${{X_SESSION_DSHM_POOL_TIMEOUT}};\n    set $session_dshm_pool_size ${{X_SESSION_DSHM_POOL_SIZE}};\n    set $session_dshm_pool_backlog ${{X_SESSION_DSHM_POOL_BACKLOG}};\n    set $session_shm_store ${{X_SESSION_SHM_STORE}};\n    set $session_shm_uselocking ${{X_SESSION_SHM_USELOCKING}};\n    set $session_shm_lock_exptime ${{X_SESSION_SHM_LOCK_EXPTIME}};\n    set $session_shm_lock_timeout ${{X_SESSION_SHM_LOCK_TIMEOUT}};\n    set $session_shm_lock_step ${{X_SESSION_SHM_LOCK_STEP}};\n    set $session_shm_lock_ratio ${{X_SESSION_SHM_LOCK_RATIO}};\n    set $session_shm_lock_max_step ${{X_SESSION_SHM_LOCK_MAX_STEP}};\n" "$TPL"     && TPL=/usr/local/share/lua/5.1/kong/templates/kong_defaults.lua     && sed -i "/\]\]/i\ \nx_session_storage = cookie\nx_session_name = oidc_session\nx_session_compressor = 'none'\nx_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\nx_session_memcache_prefix = oidc_sessions\nx_session_memcache_connect_timeout = '1000'\nx_session_memcache_send_timeout = '1000'\nx_session_memcache_read_timeout = '1000'\nx_session_memcache_host = memcached\nx_session_memcache_port = '11211'\nx_session_memcache_uselocking = 'off'\nx_session_memcache_spinlockwait = '150'\nx_session_memcache_maxlockwait = '30'\nx_session_memcache_pool_timeout = '1000'\nx_session_memcache_pool_size = '10'\n\nx_session_dshm_region = oidc_sessions\nx_session_dshm_connect_timeout = '1000'\nx_session_dshm_send_timeout = '1000'\nx_session_dshm_read_timeout = '1000'\nx_session_dshm_host = hazelcast\nx_session_dshm_port = '4321'\nx_session_dshm_pool_name = oidc_sessions\nx_session_dshm_pool_timeout = '1000'\nx_session_dshm_pool_size = '10'\nx_session_dshm_pool_backlog = '10'\n\nx_session_shm_store_size = 5m\nx_session_shm_store = oidc_sessions\nx_session_shm_uselocking = off\nx_session_shm_lock_exptime = '30'\nx_session_shm_lock_timeout = '5'\nx_session_shm_lock_step = '0.001'\nx_session_shm_lock_ratio = '2'\nx_session_shm_lock_max_step = '0.5'\n\nx_oidc_cache_discovery_size = 128k\nx_oidc_cache_jwks_size = 128k\nx_oidc_cache_introspection_size = 128k\n\n" "$TPL"     && rm -fr *.rock*     && apk del .build-dependencies 2>/dev/null     && mkdir -p /usr/local/kong     && chown -R kong:`id -gn kong` /usr/local/kong:
#8 0.228 + apk --no-cache add libssl1.1 openssl curl unzip git
#8 0.235 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
#8 1.263 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
#8 3.137 (1/1) Installing curl (7.79.1-r0)
#8 3.324 Executing busybox-1.33.1-r3.trigger
#8 3.329 OK: 66 MiB in 41 packages
#8 3.361 + apk --no-cache add --virtual .build-dependencies make gcc openssl-dev
#8 3.366 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
#8 4.301 fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
#8 6.371 (1/12) Installing make (4.3-r0)
#8 6.533 (2/12) Installing binutils (2.35.2-r2)
#8 9.357 (3/12) Installing libgomp (10.3.1_git20210424-r2)
#8 9.541 (4/12) Installing libatomic (10.3.1_git20210424-r2)
#8 9.582 (5/12) Installing libgphobos (10.3.1_git20210424-r2)
#8 11.85 (6/12) Installing gmp (6.2.1-r0)
#8 12.14 (7/12) Installing isl22 (0.22-r0)
#8 12.97 (8/12) Installing mpfr4 (4.1.0-r0)
#8 15.55 (9/12) Installing mpc1 (1.2.1-r0)
#8 15.64 (10/12) Installing gcc (10.3.1_git20210424-r2)
#8 53.86 (11/12) Installing openssl-dev (1.1.1l-r0)
#8 54.19 (12/12) Installing .build-dependencies (20211115.060117)
#8 54.19 Executing busybox-1.33.1-r3.trigger
#8 54.20 OK: 177 MiB in 53 packages
#8 54.23 + curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/1.0.2/lua/dshm.lua
------
executor failed running [/bin/sh -c set -ex   && apk --no-cache add     libssl1.1     openssl     curl     unzip     git   && apk --no-cache add --virtual .build-dependencies     make     gcc     openssl-dev       && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua     && luarocks remove --force kong-plugin-session     && luarocks remove --force lua-resty-session     && luarocks install lua-ffi-zlib     && luarocks install penlight     && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec     && luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec     && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec |         sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec     && luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec     && TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua     && sed -i "/server_name kong;/a\ \nset_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL"     && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \nvariables_hash_max_size 2048;\nlua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\nlua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\nlua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n> if x_session_storage == "shm" then\nlua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n> end\n' "$TPL"     && sed -i "/server_name kong;/a\ \n    set \$session_storage \${{X_SESSION_STORAGE}};\n    set \$session_name \${{X_SESSION_NAME}};\n    set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n    set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n    set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n    set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n    set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n    set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n    set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n    set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n    set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n    set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n    set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n    set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n    set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n    set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n    set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n    set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n    set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n    set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n    set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n    set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n    set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n    set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n    set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n    set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n    set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n    set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n    set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n    set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n    set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n" "$TPL"     && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua     && sed -i "/\]\]/i\ \nx_session_storage = cookie\nx_session_name = oidc_session\nx_session_compressor = 'none'\nx_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\nx_session_memcache_prefix = oidc_sessions\nx_session_memcache_connect_timeout = '1000'\nx_session_memcache_send_timeout = '1000'\nx_session_memcache_read_timeout = '1000'\nx_session_memcache_host = memcached\nx_session_memcache_port = '11211'\nx_session_memcache_uselocking = 'off'\nx_session_memcache_spinlockwait = '150'\nx_session_memcache_maxlockwait = '30'\nx_session_memcache_pool_timeout = '1000'\nx_session_memcache_pool_size = '10'\n\nx_session_dshm_region = oidc_sessions\nx_session_dshm_connect_timeout = '1000'\nx_session_dshm_send_timeout = '1000'\nx_session_dshm_read_timeout = '1000'\nx_session_dshm_host = hazelcast\nx_session_dshm_port = '4321'\nx_session_dshm_pool_name = oidc_sessions\nx_session_dshm_pool_timeout = '1000'\nx_session_dshm_pool_size = '10'\nx_session_dshm_pool_backlog = '10'\n\nx_session_shm_store_size = 5m\nx_session_shm_store = oidc_sessions\nx_session_shm_uselocking = off\nx_session_shm_lock_exptime = '30'\nx_session_shm_lock_timeout = '5'\nx_session_shm_lock_step = '0.001'\nx_session_shm_lock_ratio = '2'\nx_session_shm_lock_max_step = '0.5'\n\nx_oidc_cache_discovery_size = 128k\nx_oidc_cache_jwks_size = 128k\nx_oidc_cache_introspection_size = 128k\n\n" "$TPL"     && rm -fr *.rock*     && apk del .build-dependencies 2>/dev/null     && mkdir -p /usr/local/kong     && chown -R kong:`id -gn kong` /usr/local/kong]: exit code: 6

OIDC plugin always returns invalid "invalid token"

I have enabled the OIDC nokia/kong-oidcplugin globally with below for one api's with below configurations
Deployment environment openshift v3.11.51
image:
repository: revomatico/docker-kong-oidc
tag: "2.0.4-1"

Deployed using Helm 3

{
"created_at": 1589024458,
"config": {
"response_type": "code",
"introspection_endpoint": "https://sso:8443/auth/realms/davis/protocol/openid-connect/token/introspect",
"timeout": null,
"redirect_uri": null,
"logout_path": "/logout",
"filters": null,
"disable_access_token_header": "no",
"bearer_only": "yes",
"access_token_header_as_bearer": "yes",
"access_token_header_name": "X-Access-Token",
"disable_id_token_header": "no",
"ssl_verify": "no",
"session_secret": null,
"introspection_endpoint_auth_method": null,
"groups_claim": "groups",
"realm": "davis",
"redirect_after_logout_uri": "/",
"scope": "openid",
"token_endpoint_auth_method": "client_secret_post",
"client_secret": "515b87e1-9a0d-41ca-8e6e-ed7e65d65e59",
"client_id": "kong",
"userinfo_header_name": "X-USERINFO",
"revoke_tokens_on_logout": "no",
"discovery": "https://sso:8443/auth/realms/davis/.well-known/openid-configuration",
"ignore_auth_filters": "",
"disable_userinfo_header": "no",
"id_token_header_name": "X-ID-Token",
"recovery_page_path": null,
"unauth_action": "auth"
},
"id": "de08422d-7497-4b4a-bc38-9f45397b94a3",
"service": null,
"enabled": true,
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"name": "oidc",
"consumer": null,
"route": null,
"tags": null
}

However I am always getting WWW-Authenticate โ†’Bearer realm="kong",error="invalid token"

Is there is suggestion to fix the issue

Will Consider to add login_redirect_uri?

I am going to build an web application to call Kong with kong-oidc to run authorization code grant flow and then access the upstream API. However, There is no login_redirect_uri. Ater running the authorization code grant flow, the request cannot redirect back to the browser but 400 bad request error is resulted.

Will you consider to add the setting login_redirect_uri to solve this problem. Thanks.

./build.sh not working since #31

The #31 needs a fix:

@@ -28,7 +28,7 @@ RUN set -ex \
     && luarocks install penlight \
     # Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
     && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/v${KONG_PLUGIN_OIDC_VER}/kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec | tee kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec | \
-    sed -E -e 's/(tag =)[^,]+/\1 "v${KONG_PLUGIN_OIDC_VER}"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \
+    sed -E -e 's/(tag =)[^,]+/\1 '"v${KONG_PLUGIN_OIDC_VER}"'/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_PLUGIN_OIDC_VER}.rockspec \

After that I get the following error:

+ luarocks build kong-oidc-1.2.4-4.rockspec

Error: Could not load rockspec file /kong-oidc-1.2.4-4.rockspec (Error loading file: [string "/kong-oidc-1.2.4-4.rockspec"]:5: malformed number near '.2.4')
Removing intermediate container a95ba560de9c

I stopped searching for a fix and moved back to the latest release.

Regards
Thorsten

Enabling Kong Manager GUI

Hello, first of all, thank you for all the effort. I'm using this image for a couple of months now. everything works great regarding oidc. but day by day services, routes are increasing and I wanted to enable Kong Manager UI, from what I gathered by kong documentation setting this variable should be enough. But have no luck, accessing the Kong Manager

echo "-e 'KONG_ADMIN_GUI_PATH=/manager' \
 'KONG_ADMIN_GUI_URL=http://localhost:8002/manager' \
 kong reload exit" | docker exec -i KONG_CONTAINER_ID /bin/sh

Any idea how I can accomplish this using this image?

Thanks again

Issues with kong.yml

Hi, I tried using the docker file from here - Dockerfile:2.5.0

The only change I've made is adding

  • copying the kong.yml file.
  • Added a value for x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\ (this is base64 for some_base64_string)

kong.yml

_format_version: "1.1"
services:
- connect_timeout: 10000
  host: echoserver
  name: echoserver
  port: 80
  protocol: http
  read_timeout: 5000
  retries: 2
  write_timeout: 5000
  routes:
  - hosts:
    - echoserver:80
    # id: 9c5c298c-1452-4c65-8d65-dcb1a4b4ea68
    # path_handling: v0
    # preserve_host: false
    protocols:
    - http
    - https
    # regex_priority: 0
    # strip_path: true
    # https_redirect_status_code: 426
  plugins:
  - name: oidc
    config:
      access_token_header_as_bearer: "no"
      access_token_header_name: X-Access-Token
      bearer_only: "yes"
      client_id: someconsumer
      client_secret: somesecret
      disable_access_token_header: "no"
      disable_id_token_header: "no"
      disable_userinfo_header: "no"
      discovery: http://hydra-service:9000/.well-known/openid-configuration
      filters: null
      groups_claim: groups
      id_token_header_name: X-ID-Token
      ignore_auth_filters: ""
      introspection_endpoint: http://hydra-service:9001/oauth2/introspect
      introspection_endpoint_auth_method: null
      logout_path: /logout
      realm: kong
      recovery_page_path: null
      redirect_after_logout_uri: /
      redirect_uri: http://example.com
      response_type: token
      revoke_tokens_on_logout: "no"
      scope: openid
      session_secret: null
      ssl_verify: "no"
      timeout: null
      token_endpoint_auth_method: client_secret_post
      unauth_action: auth
      userinfo_header_name: X-USERINFO
    enabled: true
    protocols:
    # - grpc
    # - grpcs
    - http
    - https

The only change I've made to the docker file from master for 2.5.0 is adding

  • copying the kong.yml file.
  • Added a value for x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\ (this is base64 for some_base64_string)

Dockerfile

FROM kong/kong:2.5.0

USER root

LABEL authors="Rami Abusereya <[email protected]>,Cristian Chiru <[email protected]>"

ENV PACKAGES="openssl-devel kernel-headers gcc git openssh" \
    LUA_BASE_DIR="/usr/local/share/lua/5.1" \
    KONG_OIDC_VER="1.2.3-1" \
    LUA_RESTY_OIDC_VER="1.7.4-1" \
    KONG_PLUGIN_SESSION_VER="2.4.5" \
    NGX_DISTRIBUTED_SHM_VER="1.0.2"

COPY kong.yml /

RUN set -ex \
  && apk --no-cache add \
    libssl1.1 \
    openssl \
    curl \
    unzip \
    git \
  && apk --no-cache add --virtual .build-dependencies \
    make \
    gcc \
    openssl-dev \
  \
## Install plugins
 # Download ngx-distributed-shm dshm library
    && curl -sL https://raw.githubusercontent.com/grrolland/ngx-distributed-shm/${NGX_DISTRIBUTED_SHM_VER}/lua/dshm.lua > ${LUA_BASE_DIR}/resty/dshm.lua \
 # Remove old lua-resty-session and dependent kong-plugin-session
    && luarocks remove --force kong-plugin-session \
    && luarocks remove --force lua-resty-session \
 # Add Pluggable Compressors dependencies
    && luarocks install lua-ffi-zlib \
    && luarocks install penlight \
 # Build kong-plugin-session
    && curl -sL https://raw.githubusercontent.com/Kong/kong-plugin-session/${KONG_PLUGIN_SESSION_VER}/kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec | tee kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
    && luarocks build kong-plugin-session-${KONG_PLUGIN_SESSION_VER}-1.rockspec \
 # Build kong-oidc from forked repo because is not keeping up with lua-resty-openidc
    && curl -sL https://raw.githubusercontent.com/revomatico/kong-oidc/master/kong-oidc-${KONG_OIDC_VER}.rockspec | tee kong-oidc-${KONG_OIDC_VER}.rockspec | \
        sed -E -e 's/(tag =)[^,]+/\1 "master"/' -e "s/(lua-resty-openidc ~>)[^\"]+/\1 ${LUA_RESTY_OIDC_VER}/" > kong-oidc-${KONG_OIDC_VER}.rockspec \
    && luarocks build kong-oidc-${KONG_OIDC_VER}.rockspec \
 # Patch nginx_kong.lua for kong-oidc session_secret
    && TPL=${LUA_BASE_DIR}/kong/templates/nginx_kong.lua \
    # May cause side effects when using another nginx under this kong, unless set to the same value
    && sed -i "/server_name kong;/a\ \n\
set_decode_base64 \$session_secret \${{X_SESSION_SECRET}};\n" "$TPL" \
 # Patch nginx_kong.lua to set dictionaries
    && sed -i -E '/^lua_shared_dict kong\s+.+$/i\ \n\
variables_hash_max_size 2048;\n\
lua_shared_dict discovery \${{X_OIDC_CACHE_DISCOVERY_SIZE}};\n\
lua_shared_dict jwks \${{X_OIDC_CACHE_JWKS_SIZE}};\n\
lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
> if x_session_storage == "shm" then\n\
lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
> end\n\
' "$TPL" \
 # Patch nginx_kong.lua to add for memcached sessions
    && sed -i "/server_name kong;/a\ \n\
    ## Session:
    set \$session_storage \${{X_SESSION_STORAGE}};\n\
    set \$session_name \${{X_SESSION_NAME}};\n\
    set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
    ## Session: Memcached specific
    set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
    set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
    set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
    set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
    set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
    set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
    set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
    set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
    set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
    set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
    set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
    ## Session: DHSM specific
    set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
    set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
    set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
    set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
    set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
    set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
    set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
    set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
    set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
    set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
    ## Session: SHM Specific
    set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
    set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
    set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
    set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
    set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
    set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
    set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
" "$TPL" \
 # Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
 # x_session_secret value = some_base64_string
    && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
    && sed -i "/\]\]/i\ \n\
x_session_storage = cookie\n\
x_session_name = oidc_session\n\
x_session_compressor = 'none'\n\
x_session_secret = 'c29tZV9iYXNlNjRfc3RyaW5n'\n\
\n\
x_session_memcache_prefix = oidc_sessions\n\
x_session_memcache_connect_timeout = '1000'\n\
x_session_memcache_send_timeout = '1000'\n\
x_session_memcache_read_timeout = '1000'\n\
x_session_memcache_host = memcached\n\
x_session_memcache_port = '11211'\n\
x_session_memcache_uselocking = 'off'\n\
x_session_memcache_spinlockwait = '150'\n\
x_session_memcache_maxlockwait = '30'\n\
x_session_memcache_pool_timeout = '1000'\n\
x_session_memcache_pool_size = '10'\n\
\n\
x_session_dshm_region = oidc_sessions\n\
x_session_dshm_connect_timeout = '1000'\n\
x_session_dshm_send_timeout = '1000'\n\
x_session_dshm_read_timeout = '1000'\n\
x_session_dshm_host = hazelcast\n\
x_session_dshm_port = '4321'\n\
x_session_dshm_pool_name = oidc_sessions\n\
x_session_dshm_pool_timeout = '1000'\n\
x_session_dshm_pool_size = '10'\n\
x_session_dshm_pool_backlog = '10'\n\
\n\
x_session_shm_store_size = 5m\n\
x_session_shm_store = oidc_sessions\n\
x_session_shm_uselocking = off\n\
x_session_shm_lock_exptime = '30'\n\
x_session_shm_lock_timeout = '5'\n\
x_session_shm_lock_step = '0.001'\n\
x_session_shm_lock_ratio = '2'\n\
x_session_shm_lock_max_step = '0.5'\n\
\n\
x_oidc_cache_discovery_size = 128k\n\
x_oidc_cache_jwks_size = 128k\n\
x_oidc_cache_introspection_size = 128k\n\
\n\
" "$TPL" \
## Cleanup
    && rm -fr *.rock* \
    && apk del .build-dependencies 2>/dev/null \
## Create kong and working directory (https://github.com/Kong/kong/issues/2690)
    && mkdir -p /usr/local/kong \
    && chown -R kong:`id -gn kong` /usr/local/kong
USER kong

Build this image via docker build -t kong-dbless .

Now I run this with a simple yml for kubernetes

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kong
  labels: 
    app: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kong
  template:
    metadata:
      labels:
        app: kong
    spec:
      containers:
      - name: kong
        image: kong-dbless:latest
        imagePullPolicy: Never
        ports:
        - containerPort: 8000
        - containerPort: 8001
        - containerPort: 8443
        - containerPort: 8444
        env:
        - name: KONG_DATABASE
          value: "off"
        - name: KONG_DECLARATIVE_CONFIG
          value: kong.yml
        - name: KONG_PLUGINS
          value: "bundled,oidc"
        - name: KONG_X_SESSION_SECRET
          value: c29tZV9iYXNlNjRfc3RyaW5n
        - name: KONG_X_SESSION_NAME
          value: oidc_session
---
# Service
apiVersion: v1
kind: Service
metadata:
  name: kong-service
spec:
  selector:
    app: kong
  ports:
    - protocol: TCP
      port: 8000
      targetPort: 8000
      name: publicapi
    - protocol: TCP
      port: 8001
      targetPort: 8001
      name: adminapi
    - protocol: TCP
      port: 8443
      targetPort: 8443
      name: securepublicapi
    - protocol: TCP
      port: 8444
      targetPort: 8444
      name: secureadminapi

Logs give me.

2021/08/18 15:02:56 [warn] 1#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:6
2021/08/18 15:02:57 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
  - in entry 1 of 'services':
    in 'plugins':
      - in entry 1 of 'plugins':
        in 'config':
          in 'access_token_header_as_bearer': unknown field
stack traceback:
        [C]: in function 'error'
        /usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
        init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:525: error parsing declarative config file kong.yml:
in 'services':
  - in entry 1 of 'services':
    in 'plugins':
      - in entry 1 of 'plugins':
        in 'config':
          in 'access_token_header_as_bearer': unknown field
stack traceback:
        [C]: in function 'error'
        /usr/local/share/lua/5.1/kong/init.lua:525: in function 'init'
        init_by_lua:3: in main chunk

Which, based on this seems to me that the plugin is not installed.

Kong startup error when setting a numeric string as env var

For example, if I try to override the value of x_session_memcache_port by setting the env var KONG_X_SESSION_MEMCACHE_PORT=8778

Kong init fails with the following error:

2021/03/09 15:46:17 [debug] 1#0: [lua] globalpatches.lua:10: installing the globalpatches
2021/03/09 15:46:17 [error] 1#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:440: x_session_memcache_port is not a string: '8778'
stack traceback:
        [C]: in function 'assert'
        /usr/local/share/lua/5.1/kong/init.lua:440: in function 'init'
        init_by_lua:3: in main chunk
nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:440: x_session_memcache_port is not a string: '8778'
stack traceback:
        [C]: in function 'assert'
        /usr/local/share/lua/5.1/kong/init.lua:440: in function 'init'
        init_by_lua:3: in main chunk

Documentation request

Hello,

Thank you for the work on this plugin / project. It would be great to have more detailed documentation on the settings for Auth, Implicit and Hybrid flows. So far, I can only use the Kong Konnect documentation and I'm not sure this plugin works exactly the same.

Module 'kong.plugins.base_plugin' not found

I got this error when build and run the docker image using the included Dockerfile

Here's the stacktrace:

kong-gateway     | nginx: [error] init_by_lua error: /usr/local/share/lua/5.1/kong/tools/utils.lua:701: error loading module 'kong.plugins.oidc.handler':
kong-gateway     | /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: module 'kong.plugins.base_plugin' not found:No LuaRocks module found for kong.plugins.base_plugin
kong-gateway     |      no field package.preload['kong.plugins.base_plugin']
kong-gateway     |      no file './kong/plugins/base_plugin.lua'
kong-gateway     |      no file './kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.ljbc'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin/init.ljbc'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.ljbc'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong/plugins/base_plugin/init.ljbc'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/usr/local/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/usr/local/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/usr/local/openresty/luajit/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/root/.luarocks/share/lua/5.1/kong/plugins/base_plugin.lua'
kong-gateway     |      no file '/root/.luarocks/share/lua/5.1/kong/plugins/base_plugin/init.lua'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong/plugins/base_plugin.so'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong/plugins/base_plugin.so'
kong-gateway     |      no file './kong/plugins/base_plugin.so'
kong-gateway     |      no file '/usr/local/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway     |      no file '/usr/local/openresty/luajit/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway     |      no file '/usr/local/lib/lua/5.1/loadall.so'
kong-gateway     |      no file '/root/.luarocks/lib/lua/5.1/kong/plugins/base_plugin.so'
kong-gateway     |      no file '/usr/local/openresty/site/lualib/kong.so'
kong-gateway     |      no file '/usr/local/openresty/lualib/kong.so'
kong-gateway     |      no file './kong.so'
kong-gateway     |      no file '/usr/local/lib/lua/5.1/kong.so'
kong-gateway     |      no file '/usr/local/openresty/luajit/lib/lua/5.1/kong.so'
kong-gateway     |      no file '/usr/local/lib/lua/5.1/loadall.so'
kong-gateway     |      no file '/root/.luarocks/lib/lua/5.1/kong.so'
kong-gateway     | stack traceback:
kong-gateway     |      [C]: in function 'require'
kong-gateway     |      /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:1: in main chunk
kong-gateway     |      [C]: at 0xffffa21e90a8
kong-gateway     |      [C]: in function 'xpcall'
kong-gateway     |      /usr/local/share/lua/5.1/kong/tools/utils.lua:692: in function 'load_module_if_exists'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas'
kong-gateway     |      /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init'
kong-gateway     |      init_by_lua:3: in main chunk
kong-gateway     | stack traceback:
kong-gateway     |      [C]: in function 'error'
kong-gateway     |      /usr/local/share/lua/5.1/kong/tools/utils.lua:701: in function 'load_module_if_exists'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:154: in function 'load_plugin_handler'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:260: in function 'load_plugin'
kong-gateway     |      /usr/local/share/lua/5.1/kong/db/dao/plugins.lua:312: in function 'load_plugin_schemas'
kong-gateway     |      /usr/local/share/lua/5.1/kong/init.lua:553: in function 'init'
kong-gateway     |      init_by_lua:3: in main chunk
kong-gateway exited with code 1

docker-compose.yml:

version: '3'

services:
  kong-database:
    image: postgres:9.6
    container_name: kong-database
    restart: always
    networks:
      - kong-net
    environment:
      - POSTGRES_DB=kong
      - POSTGRES_USER=kong
      - POSTGRES_PASSWORD=kongpass
    ports:
      - 5432:5432
    volumes:
      - "./postgres/database:/var/lib/postgresql/data"
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "kong"]
      interval: 5s
      timeout: 5s
      retries: 5

  kong-migrations:
    # image: kong/kong-gateway:3.0.0.0-alpine
    image: kong-oidc
    container_name: kong-migrations
    restart: on-failure
    command: kong migrations bootstrap -v
    networks:
      - kong-net
    environment:
      - KONG_PG_HOST=kong-database
      - KONG_DATABASE=postgres
      - KONG_PG_USER=kong
      - KONG_PG_PASSWORD=kongpass
      - KONG_PLUGINS=bundled,oidc
    depends_on:
      kong-database:
        condition: service_healthy

  kong-gateway:
    # image: kong/kong-gateway:3.0.0.0-alpine
    image: kong-oidc
    container_name: kong-gateway
    user: root
    restart: on-failure
    networks:
      - kong-net
    environment:
      - LC_CTYPE=en_US.UTF-8
      - LC_ALL=en_US.UTF-8
      - KONG_DATABASE=postgres
      - KONG_PG_HOST=kong-database
      - KONG_PG_USER=kong
      - KONG_PG_PASSWORD=kongpass
      - KONG_PROXY_ACCESS_LOG=/dev/stdout
      - KONG_ADMIN_ACCESS_LOG=/dev/stdout
      - KONG_PROXY_ERROR_LOG=/dev/stderr
      - KONG_ADMIN_ERROR_LOG=/dev/stderr
      - KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl
      - KONG_ADMIN_GUI_URL=http://localhost:8002
      - KONG_PLUGINS=bundled,oidc
    ports:
      - 8000:8000
      - 8443:8443
      - 8001:8001
      - 8444:8444
      - 8002:8002
      - 8445:8445
      - 8003:8003
      - 8004:8004
    depends_on:
      kong-migrations:
        condition: service_started

  konga:
    image: pantsel/konga
    container_name: konga
    networks:
      - kong-net
    ports:
      - 1337:1337
    environment:
      - DB_ADAPTER=postgres
      - DB_HOST=kong-database
      - DB_PORT=5432
      - DB_DATABASE=kong
      - DB_USER=kong
      - DB_PASSWORD=kongpass
      # - NODE_ENV=production
      - NODE_ENV=development
    depends_on:
      kong-database:
        condition: service_healthy

  keycloak:
    image: quay.io/keycloak/keycloak:19.0.1
    container_name: keycloak
    command: start-dev
    networks:
      - kong-net
    ports:
      - 8080:8080
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KEYCLOAK_LOGLEVEL=ALL

volumes:
  postgres:
    driver: local

networks:
  kong-net:
    driver: bridge

kong ingress controller bypassing the oidc plugin in kubernetes

Hi,

Summary
I have deployed the kong with oidc container v2.3.3-1 (https://github.com/revomatico/docker-kong-oidc/releases/tag/2.3.3-1) on the kubernetes in AWS. I have to integrate the keycloak with this kong. But after doing all the configuration in keycloak and creating the kong plugin entity using YAML, the request to microservice is bypassing the oidc plugin and I can directly access the service from ingress.

Steps To reproduce

  1. Created the OIDC Plugin Entity using YAML:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
labels:
    global: "true"
metadata:
  name: oidc
  namespace: kong
config:
  client_id: kong_api_access
  client_secret: 093c6dd1-XXXX-XXXX-XXXX-XXXXXXXXXXXX
  scope: openid
  realm: kong
  discovery: http://keycloak.abc.com/auth/realms/kong/.well-known/openid-configuration
  introspection_endpoint: http://keycloak.abc.com/auth/realms/kong/protocol/openid-connect/token/introspect
plugin: oidc
  1. Created the test microservice using YAML:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo
  annotations:
    plugins.konghq.com: oidc
    kubernetes.io/ingress.class: kong
spec:
  rules:
  - http:
      paths:
      - path: /echo
        backend:
          serviceName: echo
          servicePort: 80
  1. Accessing the service using https://test.abc.com/echo
    This is directly getting me to the service instead of loading the keycloak login page

Additional Information

  1. I can see the oidc plugin is enabled in kong
curl -s --insecure https://127.0.0.1:8444/plugins/enabled
{"enabled_plugins":["grpc-web","correlation-id","pre-function","cors","rate-limiting","loggly","hmac-auth","zipkin","request-size-limiting","azure-functions","request-transformer","oauth2","response-transformer","ip-restriction","statsd","jwt","proxy-cache","basic-auth","key-auth","http-log","oidc","session","datadog","tcp-log","prometheus","post-function","ldap-auth","acl","grpc-gateway","file-log","syslog","udp-log","response-ratelimiting","aws-lambda","bot-detection","acme","request-termination"]}

How to enable session compression to reduce cookie size?

Hi, I already set the environment variable KONG_X_SESSION_COMPRESSOR=zlib in my docker-compose.yml, but the cookies are still same size, more than 5000 bytes. Are there any other parameters I need to set?

This is my docker-compose.yml

version: '3.4'

networks:
  kong-net:

volumes:
  kong-datastore:

services:
  kong-db:
    image: postgres:9.6
    volumes:
      - kong-datastore:/var/lib/postgresql/data
    networks:
      - kong-net
    ports:
      - "5432:5432"
    environment:
      POSTGRES_DB: kong
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: kong

  kong:
    image: revomatico/docker-kong-oidc:2.3.3-1
    volumes:
      - /data/solution/docker/kong/nginx_kong.lua:/usr/local/share/lua/5.1/kong/templates/nginx_kong.lua
      - /data/solution/www:/var/www/
    depends_on:
      - kong-db
    networks:
      - kong-net
    extra_hosts:
      - "sg.digitalgd.com.cn:172.16.0.3"
      - "ywpt.digitalgd.com.cn:172.16.16.43"
    ports:
      - "38000:8000" # Listener
      - "38001:8001" # Admin API
      - "38443:8443" # Listener  (SSL)
      - "38444:8444" # Admin API (SSL)
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-db
      KONG_PG_PORT: 5432
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_PG_PASSWORD: kong
      KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 ssl
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
      KONG_PLUGINS: bundled,oidc
      KONG_X_SESSION_COMPRESSOR: zlib

kong ingress controller is not able to find oidc plugin after upgrade to 2.0.x

After upgrading the kong to 2.6.0 and kong ingress controller to 2.0.5 and 2.0.6, the ingress controller is giving the following error:

time="2021-12-07T09:28:24Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=default subsystem=proxy-cache-resolver time="2021-12-07T09:28:27Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=apps subsystem=proxy-cache-resolver time="2021-12-07T09:28:27Z" level=error msg="failed to fetch KongPlugin: no KongPlugin or KongClusterPlugin was found" kongplugin_name=oidc kongplugin_namespace=default subsystem=proxy-cache-resolver
The configuration for the OIDC plugin is:
apiVersion: configuration.konghq.com/v1 config: client_id: test client_secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx discovery: https://keycloak.abc.com/auth/realms/xxxx/.well-known/openid-configuration introspection_endpoint: https://keycloak.abc.com/auth/realms/xxxx/protocol/openid-connect/token/introspect realm: test scope: openid kind: KongClusterPlugin metadata: name: oidc plugin: oidc

The env variable set in of kong:
KONG_PLUGINS: bundled,oidc

Please suggest whats wrong here

Questions about kong-oidc version and docker

Dear all,

we initially planned to use the https://github.com/nokia/kong-oidc plugin, but it seems to be outdated. Not sure if it even would work with Kong 2.0? What was the reason for your fork if I may ask?

I installed now your plugin https://github.com/revomatico/kong-oidc simply via luarocks in the original Kong docker image and enabled it with:

KONG_PLUGINS=bundled,oidc

I do see it in Konga and try to enable and settling it up on a single route for testing

However I'm wondering: you created this custom Docker image here docker-kong-oidc. Do we need all steps/installations in your Dockerfile to make this plugin work? It seems to be a quite a lot of modifications to the original Kong image. Or are these simply some custom modifications that you need for yourself?

thanks a lot in advance

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.