Kong Integration with OIDC Plugin

By: Enzo Veltri user 17 Jul 2019 at 12:29 p.m. CDT

6 Responses
Enzo Veltri gravatar
I'm trying to integrate Kong with Gluu Server. I've already successfully integrate Kong with Keycloak using Kong OIDC plugin (https://github.com/nokia/kong-oidc), but we want to investigate some alternatives to Keycloak. I think that the same could be done using the Gluu Server. Moreover you already use Kong in Gluu Gateway, so I suspect that is possible. TEST Architecture -- Kong --> deployed at 192.168.56.220:8000 Gluu server --> deployed at gluu (192.168.56.222) Rest server --> deployed at 192.168.56.202:8080/api Goal -- My goal is to secure the Rest server using Kong as Proxy and Gluu as IAM. So calling let's say http://192.168.56.220:8000/apis/op1 from the browser I will be redirected to the gluu login page and finally, after submitting the correct credentials I can call the kong endpoint that forwards my request to the rest server. Problem -- I think that my configuration it's good, but I'm facing this error contacting the kong endpoint, that is an error that comes from Gluu. "error":"invalid_request_redirect_uri","error_description":"The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris." This is the redirect uri: https://gluu/oxauth/restv1/authorize?response_type=code&client_id=%40!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5&state=a8688d8abc14f20ae9eca7361f318530&redirect_uri=http%3A%2F%2F192.168.56.220%3A8000%2FlistaProgetti%2F&nonce=10afa917d13a308e67a91e25c5c2b00f&scope=openid This is my gluu configuration for the client. The redirect URI is the kong endpoint OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** kong - **Description:** kong integration - **Client ID:** @!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5 - **Subject Type:** public - **Expirattion date:** Mon Jul 17 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Client Uri:** http://192.168.56.220:8000 - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_basic - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [http://192.168.56.220:8000/] - **Scopes:** [openid, profile, email] - **Grant types:** [authorization_code] - **Response types:** [code, id_token] Just for the sake of completeness, this is the kong oidc plugin configuration { "created_at": 1563364364, "config": { "response_type": "code", "introspection_endpoint": null, "timeout": null, "redirect_uri": null, "ignore_auth_filters": "", "ssl_verify": "no", "bearer_only": "no", "access_token_header_as_bearer": "no", "access_token_header_name": "X-Access-Token", "disable_id_token_header": "no", "disable_access_token_header": "no", "session_secret": null, "introspection_endpoint_auth_method": null, "disable_userinfo_header": "no", "realm": "kong", "redirect_after_logout_uri": "/", "scope": "openid", "token_endpoint_auth_method": "client_secret_post", "logout_path": "/logout", "client_id": "@!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5", "userinfo_header_name": "X-USERINFO", "revoke_tokens_on_logout": "no", "client_secret": "XXXXXXXXXXX", "filters": null, "discovery": "https://192.168.56.222/.well-known/openid-configuration", "id_token_header_name": "X-ID-Token", "recovery_page_path": null, "unauth_action": "auth" }, "id": "442b90a1-7e8f-4cd6-abf6-5516c54cf3c9", "service": null, "name": "oidc", "protocols": [ "http", "https" ], "enabled": true, "run_on": "first", "consumer": null, "route": { "id": "d12b0e2d-f26a-4038-940a-44c87ba1bb07" }, "tags": null }
Ubuntu 18.04
closed

Answers

By Michael Schwartz Account Admin 18 Jul 2019 at 4:46 a.m. CDT

Copy
Michael Schwartz gravatar
The error message is pretty descriptive: ``` The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris. ``` Is that true? If it is true, then the Gluu Server is acting as expected. Any OP that does not enforce this rule would be susceptible to an open redirector vulnerability... one of the worst known to OAuth. Also, the next version of Gluu Gateway will include an OpenID Connect plugin that we've written and tested. It will have more robust authorization features, including a way to use either UMA or [OPA](https://www.openpolicyagent.org/) policies.

By Enzo Veltri user 18 Jul 2019 at 5:06 a.m. CDT

Copy
Enzo Veltri gravatar
https://gluu/oxauth/restv1/authorize?response_type=code&client_id=%40!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5&state=a8688d8abc14f20ae9eca7361f318530&redirect_uri=http%3A%2F%2F192.168.56.220%3A8000%2FlistaProgetti%2F&nonce=10afa917d13a308e67a91e25c5c2b00f&scope=openid Deconding the generated gluu URL https://gluu/oxauth/restv1/authorize?response_type=code&client_id=@!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5&state=a8688d8abc14f20ae9eca7361f318530&redirect_uri=http://192.168.56.220:8000/listaProgetti/&nonce=10afa917d13a308e67a91e25c5c2b00f&scope=openid Now I suppose that redirect_uri is "http://192.168.56.220:8000/listaProgetti/", and the Login Redirect URIs is "http://192.168.56.220:8000/". So what's wrong with my configuration? Should I need to add "http://192.168.56.220:8000/listaProgetti/" to the Login Redirect URIs? I've already tried but I still have the same error.

By Meghna Joshi staff 18 Jul 2019 at 5:11 a.m. CDT

Copy
Meghna Joshi gravatar
Hi Enzo, I can see your OP Client has only `Login Redirect URIs: [http://192.168.56.220:8000/]` uri and you are requesting with `http://192.168.56.220:8000/listaProgetti/` uri. You also need to add `http://192.168.56.220:8000/listaProgetti/` uri in `Login Redirect URIs` in your OP Client. Add it and then test again. Thank you, Meghna Joshi

By Enzo Veltri user 18 Jul 2019 at 5:47 a.m. CDT

Copy
Enzo Veltri gravatar
Well, it works, but I've also changed something else, so I'll share for other people. This is my correct configuration. Kong-OIDC plugin - values to change client id --> client id from gluu client discovery --> https://YOUR_GLUU_ADDRESS/.well-known/openid-configuration secret --> secret from gluu client OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** kong - **Description:** kong integration - **Client ID:** CLIENT_ID - **Subject Type:** pairwise - **Expirattion date:** Mon Jul 17 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Client Uri:** YOUR_KONG_URI - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_post - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** all KONG endpoints - **Scopes:** [openid, profile, email] - **Grant types:** [authorization_code] - **Response types:** [code] Final question: Login Redirect URIs could cointains something like "http://192.168.56.220:8000/" in order to enable all the URIs where the prefix is let's say KONG_URI? In this way gluu will work without adding new login redirect URIs

By Michael Schwartz Account Admin 18 Jul 2019 at 6:09 a.m. CDT

Copy
Michael Schwartz gravatar
`redirect_uri` is an exact match. You can add parameters, but not paths. See [OpenID Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) ``` redirect_uris REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). ```

By Enzo Veltri user 18 Jul 2019 at 6:11 a.m. CDT

Copy
Enzo Veltri gravatar
Well it makes sense. Thank you :)

Post an answer