By: Yury Stanev user 13 Jun 2023 at 3:27 p.m. CDT

2 Responses

I'm trying to setup kong gateway to act as a proxy for Gluu server and use OpenID Connect to authentication. I've setup kong gateway following [this article](https://levelup.gitconnected.com/implement-kong-as-a-dockerized-openid-connect-relying-party-community-edition-6e6a1ac5f05c#8c17) and adjusted `kong.yml` to work with Gluu OpenID. When I send a request to gateway `curl --location --request GET 'http://localhost:8000/mock'` I get back a 400 response with below error and a log from docker-compose: ```json { "error_description": "The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.", "state": "0b7ff302dd5a316c79fc8a5ee657c735", "error": "invalid_request_redirect_uri" } ``` ``` nginx | 172.31.5.227 - - [13/Jun/2023:19:32:43 +0000] "GET /oxauth/restv1/authorize?response_type=code&client_id=958e524a-4893-42a1-a6df-b1737c330ca4&state=e187dcd7ae8f6b6e07c9adaec6a071f7&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fmock%2F&nonce=3e70a539c724c9ba6688627b818b6885&scope=openid HTTP/1.1" 400 235 "http://localhost:8000/mock" "PostmanRuntime/7.30.0" "-" ``` Earlier I made the user neccessery redirect URLs. ```bash curl --location --request POST 'https://gluu-server.dev.com/oxauth/restv1/register' \ --header 'Content-Type: application/json' \ --data-raw '{ "redirect_uris": [ "http://localhost:4200/gluuAuthCallback", "http://localhost:8000/mock" ], "client_name": "Postman OIDC v2", "application_type": "native", "grant_types": ["authorization_code"] }' ``` ```json { "allow_spontaneous_scopes": false, "application_type": "native", "rpt_as_jwt": false, "registration_client_uri": "https://gluu-server.dev.com/oxauth/restv1/register?client_id=958e524a-4893-42a1-a6df-b1737c330ca4", "tls_client_auth_subject_dn": "", "registration_access_token": "2e49f0d9-0ba9-47a6-bcd2-86ec7d2440fd", "client_id": "958e524a-4893-42a1-a6df-b1737c330ca4", "token_endpoint_auth_method": "client_secret_basic", "scope": "openid uma_protection oxd permission offline_access", "run_introspection_script_before_access_token_as_jwt_creation_and_include_claims": false, "client_secret": "some-password", "client_id_issued_at": 1686674903, "backchannel_logout_uri": [], "backchannel_logout_session_required": false, "client_name": "Postman OIDC v2", "spontaneous_scopes": [], "id_token_signed_response_alg": "RS256", "access_token_as_jwt": false, "grant_types": [ "authorization_code" ], "subject_type": "pairwise", "keep_client_authorization_after_expiration": false, "redirect_uris": [ "http://localhost:8000/mock", "http://localhost:4200/gluuAuthCallback" ], "additional_audience": [], "frontchannel_logout_uri": [], "frontchannel_logout_session_required": false, "client_secret_expires_at": 0, "require_auth_time": false, "access_token_signing_alg": "RS256", "response_types": [] } ``` So the above response from Gluu seems strange at one point it seemed to work and I got back a 401 status and message about user not being authorosed to use that access method, but then it went back to redirect uri error. When I try to make the same auth request from Postman I get back 200 and a bunch of HTML for the login page, instead of response that's [described here](https://gluu.org/docs/gluu-server/4.3/api-guide/openid-connect-api/#response). ```bash curl --location --request GET 'https://gluu-server.dev.com/oxauth/restv1/authorize?scope=openid&response_type=code&client_id=958e524a-4893-42a1-a6df-b1737c330ca4&redirect_uri=http://localhost:8000/mock' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Cookie: JSESSIONID=node08rtzkpdbbcc51d5nzzebc6o1g20.node0; rp_origin_id=http://localhost:8000/mock; opbs=bd32e39b-e882-4e93-9337-b8868bc82446; org.gluu.i18n.Locale=en; session_id=b22c59ae-6d58-460d-8232-56fb5404da69; session_state=77f9244c793647bd3342b32a1e477e82b0d91e2bd8bd377315abf407bafad792.ff4945b1-b61e-4dcd-a699-0927d81a5ab5' \ --data-urlencode 'scope=openid' \ --data-urlencode 'response_type=code' \ --data-urlencode 'client_id=958e524a-4893-42a1-a6df-b1737c330ca4' \ --data-urlencode 'redirect_uri=http://localhost:8000/mock' ``` I think it's the issue with how I've configured the OIDC client, I'm not quite sure as to the cause.

Gluu 4.5 Docker 20.1

closed

By Michael Schwartz Account Admin 13 Jun 2023 at 3:46 p.m. CDT

Copy

Just having a quick look at it, the redirect uri in your request doesn't seem to match... so is the error message actually correct? Bad news is that we are sunsetting Gluu community support. The HEAD of the project moved to the Linux Foundation in 2020: [https://jans.io](https://jans.io) As a result, we're moving community support to the Github Discussions for the project: [https://github.com/JanssenProject/jans/discussions ](https://github.com/JanssenProject/jans/discussions ) Also note: Gluu 4 binaries are moved behind a paywall. So you should really switch to Jans Auth Server if you want free binaries. See the docs on [https://docs.jans.io](https://docs.jans.io) for install instructions.

By Yury Stanev user 14 Jun 2023 at 7:51 a.m. CDT

Copy

Thanks Michael, it seems Kong gateway encodes `redirect_url` when the request it sent over. I've tried to dirty solution by adding and encoded URL to the client, but no such luck. I'll look more it. Again, thanks for pointing that out.

You need to Login in order to post an answer

can't autorize user though kong gateway / postman

By: Yury Stanev user 13 Jun 2023 at 3:27 p.m. CDT

Answers

By Michael Schwartz Account Admin 13 Jun 2023 at 3:46 p.m. CDT

By Yury Stanev user 14 Jun 2023 at 7:51 a.m. CDT

Post an answer