By: Yamil Díaz Aguirre user 25 Jan 2019 at 6:41 p.m. CST

2 Responses
Yamil Díaz Aguirre gravatar
We are trying to integrate Gluu with Kong, but we can't get it to work. This is our procedure until now. First we consume our jwks endpoint to get the RS256 public key signature: ``` oxauth/restv1/jwks ``` Then we take the first key: ``` { "kid": "760628a8-8f84-45cc-ac11-7aa2162b257c", "kty": "RSA", "use": "sig", "alg": "RS256", "exp": 1579975395062, "n": "xNbXqylnuoiyhNmpCDk-_U3PugCYXUvB_Y6gCi3d3PeadFVI0bSR8KdhFn3LdPRaYjJwzwzMSoc3oH0vSDOx8NabrVjczooHy2rYFnQfRw1F22lGYkPquEFTM9gf8G2d8hfQ-4Ot-BwMdWl7al5FnGNGyp2nWuh52ydZ1_Lal1toGy_RPQQ5M5YDvvBsWFnaSxwV4jbasx3UJ_GSo-fclPRJqXng0DA0nMj-Uayu1457jXMKRSg_KqxjPnWVnnvofkK8o1wtn-dPHu5BwcH1fv8PruJk8cc3oRyAjFKKqxAFw8LLXix4otyB-lWQxN_rguSWXVoGMw9-pDLyDbQXiQ", "e": "AQAB", "x5c": [ "MIIDBDCCAeygAwIBAgIhAPosxRMM8358uKKdNTYEpN/I3KL6dJlzaO+pffNQ3LuTMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTkwMTI1MTgwMzA1WhcNMjAwMTI1MTgwMzE1WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNbXqylnuoiyhNmpCDk+/U3PugCYXUvB/Y6gCi3d3PeadFVI0bSR8KdhFn3LdPRaYjJwzwzMSoc3oH0vSDOx8NabrVjczooHy2rYFnQfRw1F22lGYkPquEFTM9gf8G2d8hfQ+4Ot+BwMdWl7al5FnGNGyp2nWuh52ydZ1/Lal1toGy/RPQQ5M5YDvvBsWFnaSxwV4jbasx3UJ/GSo+fclPRJqXng0DA0nMj+Uayu1457jXMKRSg/KqxjPnWVnnvofkK8o1wtn+dPHu5BwcH1fv8PruJk8cc3oRyAjFKKqxAFw8LLXix4otyB+lWQxN/rguSWXVoGMw9+pDLyDbQXiQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBACDneFZ9Ch3NLNlLBhx858G+G4hGWPksRi6ye0MjeFeo/yEj3uOsPwKp8aODKvNimMjvrjxV8ECCsDVLTgR4HIl/hFl1Z+h6fYVxQ9reVrou6p8jpEuQzvCUWtBR22YoVSchTMbzc/zOSRcCN+8bbb2hmon2F17B5UsKN3uV0d4rX3WukkVoP+U5OAy6sAhD3G0KM8pmvq/QQCwnZF6e7mD1j7mMcndat//aBxrqnUJdbWctkQRrDbYR4OoJ5meM1+OxtrTVMFTCKDj1uQGYNxODNHd91zk/zhzJPjdCb/ar7/9/wbMAMKQCAUY5oIWqb/1pNV/CNMOZGHYvSHdffDw=" ] } ``` And we convert it to a pem key with https://8gwifi.org/jwkconvertfunctions.jsp So we get a pem key, like this one: ``` -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNbXqylnuoiyhNmpCDk+ /U3PugCYXUvB/Y6gCi3d3PeadFVI0bSR8KdhFn3LdPRaYjJwzwzMSoc3oH0vSDOx 8NabrVjczooHy2rYFnQfRw1F22lGYkPquEFTM9gf8G2d8hfQ+4Ot+BwMdWl7al5F nGNGyp2nWuh52ydZ1/Lal1toGy/RPQQ5M5YDvvBsWFnaSxwV4jbasx3UJ/GSo+fc lPRJqXng0DA0nMj+Uayu1457jXMKRSg/KqxjPnWVnnvofkK8o1wtn+dPHu5BwcH1 fv8PruJk8cc3oRyAjFKKqxAFw8LLXix4otyB+lWQxN/rguSWXVoGMw9+pDLyDbQX iQIDAQAB -----END PUBLIC KEY----- ``` Finally we create a consumer in Kong using the previous key and we request the token in Gluu with the ```oxauth/restv1/token``` endpoint, so we get the response with the id_token (JWT), which we pass as a parameter in the authorization header bearer in our Kong Gateway. ``` Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuYXBhcmVqby5yb2NrcyIsImF1ZCI6IkAhMDAyQy4zQjVCLkMyN0IuN0M3NyEwMDAxITIyMzUuN0JDMSEwMDA4ITNFNTAuODYzQiIsImV4cCI6MTU0ODQ2MzE2MCwiaWF0IjoxNTQ4NDU5NTYwLCJhdXRoX3RpbWUiOjE1NDg0Mzk3MjAsImF0X2hhc2giOiJLQ1pIU0ltbWNLaWtKTEFZZFhnX0VRIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwic3ViIjoiQCEwMDJDLjNCNUIuQzI3Qi43Qzc3ITAwMDEhMjIzNS43QkMxITAwMDAhQThGMi5ERTFFLkQ3RkIifQ.QYldq2Bc6PK3lt9q7FksvwoFE3_2mgvkvQzPj27qw2A ``` But we got the following error: ```Invalid algorithm``` I guess it has to do with the fact that the public key is obtained in RS256, which is used for API by default, while the Bearer token obtained is in HS256 (used by default clients) Please, could you help us? Thank you!

By Michael Schwartz Account Admin 26 Jan 2019 at 12:53 p.m. CST

Michael Schwartz gravatar
That's outside the realm of what we can support. You might want to ask the Kong Community how to convert a JWKS to a format they can use. One interesting thing you may want to think about. Gluu has released an API Gateway product that uses Kong Community Edition. You can see the docs on https://gluu.org/gg BTW, using the `id_token` as a bearer token for access is really not recommended. Access tokens are normally short lived. An `id_token` is not a token--it's an identity assertion. And it's not short lived. You can think of an `id_token` as a modern SAML assertion. Instead of a signed XML, it's a signed JSON. You might want to re-think your access management approach. I would suggest using a real access token to control access to your API.

By Yamil Díaz Aguirre user 12 Feb 2019 at 4:44 p.m. CST

Yamil Díaz Aguirre gravatar
Thank you very much @Michael.Schwartz!