By: Yury Stanev user 13 Jun 2023 at 3:27 p.m. CDT

2 Responses
Yury Stanev gravatar
I'm trying to setup kong gateway to act as a proxy for Gluu server and use OpenID Connect to authentication. I've setup kong gateway following [this article](https://levelup.gitconnected.com/implement-kong-as-a-dockerized-openid-connect-relying-party-community-edition-6e6a1ac5f05c#8c17) and adjusted `kong.yml` to work with Gluu OpenID. When I send a request to gateway `curl --location --request GET 'http://localhost:8000/mock'` I get back a 400 response with below error and a log from docker-compose: ```json { "error_description": "The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.", "state": "0b7ff302dd5a316c79fc8a5ee657c735", "error": "invalid_request_redirect_uri" } ``` ``` nginx | 172.31.5.227 - - [13/Jun/2023:19:32:43 +0000] "GET /oxauth/restv1/authorize?response_type=code&client_id=958e524a-4893-42a1-a6df-b1737c330ca4&state=e187dcd7ae8f6b6e07c9adaec6a071f7&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fmock%2F&nonce=3e70a539c724c9ba6688627b818b6885&scope=openid HTTP/1.1" 400 235 "http://localhost:8000/mock" "PostmanRuntime/7.30.0" "-" ``` Earlier I made the user neccessery redirect URLs. ```bash curl --location --request POST 'https://gluu-server.dev.com/oxauth/restv1/register' \ --header 'Content-Type: application/json' \ --data-raw '{ "redirect_uris": [ "http://localhost:4200/gluuAuthCallback", "http://localhost:8000/mock" ], "client_name": "Postman OIDC v2", "application_type": "native", "grant_types": ["authorization_code"] }' ``` ```json { "allow_spontaneous_scopes": false, "application_type": "native", "rpt_as_jwt": false, "registration_client_uri": "https://gluu-server.dev.com/oxauth/restv1/register?client_id=958e524a-4893-42a1-a6df-b1737c330ca4", "tls_client_auth_subject_dn": "", "registration_access_token": "2e49f0d9-0ba9-47a6-bcd2-86ec7d2440fd", "client_id": "958e524a-4893-42a1-a6df-b1737c330ca4", "token_endpoint_auth_method": "client_secret_basic", "scope": "openid uma_protection oxd permission offline_access", "run_introspection_script_before_access_token_as_jwt_creation_and_include_claims": false, "client_secret": "some-password", "client_id_issued_at": 1686674903, "backchannel_logout_uri": [], "backchannel_logout_session_required": false, "client_name": "Postman OIDC v2", "spontaneous_scopes": [], "id_token_signed_response_alg": "RS256", "access_token_as_jwt": false, "grant_types": [ "authorization_code" ], "subject_type": "pairwise", "keep_client_authorization_after_expiration": false, "redirect_uris": [ "http://localhost:8000/mock", "http://localhost:4200/gluuAuthCallback" ], "additional_audience": [], "frontchannel_logout_uri": [], "frontchannel_logout_session_required": false, "client_secret_expires_at": 0, "require_auth_time": false, "access_token_signing_alg": "RS256", "response_types": [] } ``` So the above response from Gluu seems strange at one point it seemed to work and I got back a 401 status and message about user not being authorosed to use that access method, but then it went back to redirect uri error. When I try to make the same auth request from Postman I get back 200 and a bunch of HTML for the login page, instead of response that's [described here](https://gluu.org/docs/gluu-server/4.3/api-guide/openid-connect-api/#response). ```bash curl --location --request GET 'https://gluu-server.dev.com/oxauth/restv1/authorize?scope=openid&response_type=code&client_id=958e524a-4893-42a1-a6df-b1737c330ca4&redirect_uri=http://localhost:8000/mock' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Cookie: JSESSIONID=node08rtzkpdbbcc51d5nzzebc6o1g20.node0; rp_origin_id=http://localhost:8000/mock; opbs=bd32e39b-e882-4e93-9337-b8868bc82446; org.gluu.i18n.Locale=en; session_id=b22c59ae-6d58-460d-8232-56fb5404da69; session_state=77f9244c793647bd3342b32a1e477e82b0d91e2bd8bd377315abf407bafad792.ff4945b1-b61e-4dcd-a699-0927d81a5ab5' \ --data-urlencode 'scope=openid' \ --data-urlencode 'response_type=code' \ --data-urlencode 'client_id=958e524a-4893-42a1-a6df-b1737c330ca4' \ --data-urlencode 'redirect_uri=http://localhost:8000/mock' ``` I think it's the issue with how I've configured the OIDC client, I'm not quite sure as to the cause.

By Michael Schwartz Account Admin 13 Jun 2023 at 3:46 p.m. CDT

Michael Schwartz gravatar
Just having a quick look at it, the redirect uri in your request doesn't seem to match... so is the error message actually correct? Bad news is that we are sunsetting Gluu community support. The HEAD of the project moved to the Linux Foundation in 2020: [https://jans.io](https://jans.io) As a result, we're moving community support to the Github Discussions for the project: [https://github.com/JanssenProject/jans/discussions ](https://github.com/JanssenProject/jans/discussions ) Also note: Gluu 4 binaries are moved behind a paywall. So you should really switch to Jans Auth Server if you want free binaries. See the docs on [https://docs.jans.io](https://docs.jans.io) for install instructions.

By Yury Stanev user 14 Jun 2023 at 7:51 a.m. CDT

Yury Stanev gravatar
Thanks Michael, it seems Kong gateway encodes `redirect_url` when the request it sent over. I've tried to dirty solution by adding and encoded URL to the client, but no such luck. I'll look more it. Again, thanks for pointing that out.