Authorization code is not getting passed to kong when client app is sending authorization <<>> in header instead of getting upstream server response

[ayan1207]

@Trojan295

We are getting below issue. we installed plugin successfully and then configured one api with oidc plugin. After than when we hit from kong proxy to that api we are getting below issue.

LOG 2018/11/21 16:14:22 [error] 15837#0: *35 [lua] openidc.lua:492: openidc_discover(): issuer field in Discovery data does not match URL, client: 10.51.204.125, server: kong, request: "POST /imapi HTTP/1.1", host: "10.144.20.240:8118"

Config we did.

"scope": "openid",
"client_id": "7db76fea-f48d-4396-89da-632625c6a435",
"discovery": "https://xx.xx.xx.xx/adfs/.well-known/openid-configuration",
"client_secret": "gahX1Oe_LNnaMb0dntiMLdQQ_8kPGLkOaakT2Npj"

},

[Trojan295]

Is the issuer field in the discovery document correct? It should match the URL on, which the document is available.

[ayan1207]

@Trojan295

Can you please help to get this close.
Our configuration in kong plugin is like below.

** "client_id": "7db76fea-f48d-4396-89da-632625c6a435",
"bearer_only": "no",
"ssl_verify": "no",
"discovery": "https://TEST(uppercase).pocad.com/adfs/.well-known/openid-configuration",
"client_secret": "gahX1Oe_LNnaMb0dntiMLdQQ_8kPGLkOaakT2Npj"**

when we hit (https://test.pocad.com/adfs/.well-known/openid-configuration) URL from browser we are getting below response.

Response
{"issuer":"https://TEST(Uppder case).pocad.com/adfs","authorization_endpoint":"https://test.pocad.com/adfs/oauth2/authorize/","token_endpoint":"https://test.pocad.com/adfs/oauth2/token/","jwks_uri":"https://test.pocad.com/adfs/discovery/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge"],"subject_types_supported":["pairwise"],"scopes_supported":["email","user_impersonation","openid","aza","winhello_cert","profile","allatclaims","logon_cert","vpn_cert"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http://test.pocad.com/adfs/services/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https://test.pocad.com/adfs/userinfo","capabilities":[],"end_session_endpoint":"https://test.pocad.com/adfs/oauth2/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true}.

Questtion 1: Is issuer URL and discovery URL is case sensitive and should match URL String?

Question 2: We change discovery URL in kong plugin same with Issuer URL( i mentioned URL of Issuer as TEST.pocad.com/adfs. and configured discovery URL in kong plugin https://TEST.pocad.com/adfs/.well-known/openid-configuration) and hit to kong proxy we are getting some Login page in response.

**

<title>Error</title> <script type="text/javascript">// function Errors(){this.reportSubject = 'Error Report'; } //</script> <style type="text/css">.illustrationClass {background-image:url(/adfs/portal/illustration/illustration.png?id=183128A3C941EDE3D9199FA37D6AA90E0A7DFE101B37D10B4FEDA0CF35E11AFD);}</style>

JavaScript required

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

<script language="JavaScript" type="text/javascript">document.getElementById("noScript").style.display = "none";</script>

POCADFS Login Page

An error occurred

An error occurred. Contact your administrator for more information.

Error details

• Activity ID: 78f6d3f9-2c40-4e21-0600-0080000000fa
• Error time: Thu, 22 Nov 2018 06:48:59 GMT

<script type="text/javascript"><![CDATA[// function ERR() { } ERR.report = function (email) { var errors = new Errors();

            var body_message = '';
            var activityID = document.getElementById('activityID').innerText;
            var details = document.getElementById('errorDetails');
            if (details && details.childElementCount > 0)
            {
                var children = details.childNodes;
                for (var i = 0; i</script>
                 </div>
              </div>
           </div>
           <div id="footerPlaceholder"/>
        </div>
        <div id="footer">
           <div class="floatReverse" id="footerLinks">
              <div>
                 <span id="copyright">© 2016 Microsoft</span>
                 <a href="https://xx.xx.xx/" class="pageLink" id="helpDesk">Help</a>
              </div>
           </div>
        </div>
     </div>
  </div>
  <script type="text/javascript">&lt;![CDATA[//

// Copyright (c) Microsoft Corporation. All rights reserved.

// This file contains several workarounds on inconsistent browser behaviors that administrators may customize.
"use strict";

// iPhone email friendly keyboard does not include "" key, use regular keyboard instead.
// Note change input type does not work on all versions of all browsers.
if (navigator.userAgent.match(/iPhone/i) != null) {
var emails = document.querySelectorAll("input[type='email']");
if (emails) {
for (var i = 0; i</script>
Set-AdfsWebTheme -TargetName -AdditionalFileResource @{uri='/adfs/portal/images/hrd.jpg';path='.\hrd.jpg'} // //if (typeof HRD != 'undefined') { // SetIllustrationImage('/adfs/portal/images/hrd.jpg'); //} //]]>

**

Thanks in advance!!

[Trojan295]

The issuer field must be a substring of the discovery URL you put in the plugin configuration. It is case sensitive. Could you try to provide more log by running Kong with debug level logs? You can also try to put the whole Discovery URL in lowercase characters.

Besides, updating lua-resty-oidc to 1.9.0 in this plugin would solve also the problem, cause they remvoed checking this field. zmartzone/lua-resty-openidc#219

[ayan1207]

@Trojan295

We have configured below details in kong-oidc plugin. And now issuer URL issue got resolved. We are now getting some "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first. We gone through #1 and set session_secret (encoded password) in plugin but still we are facing below issue. Can you please help to get this close.

Config we did for plugin
curl -i -X POST --url http://localhost:8115/apis/im/plugins
--data 'name=oidc'
--data "config.client_id=30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8"
--data "config.client_secret=e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp"
--data "config.discovery=https://test.pocad.com/adfs/.well-known/openid-configuration"
--data "config.session_secret=dGliY29AMTIz"

** DEBUG LOGS**
2018/11/23 15:42:07 [debug] 23699#0: *37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/23 15:42:10 [error] 23700#0: *37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex'
/usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure'
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14>
coroutine 1:
[C]: in function 'resume'
coroutine.wrap:21: in function coroutine.wrap:21
/usr/local/share/lua/5.1/kong/init.lua:468: in function 'access'
access_by_lua(nginx-kong.conf:97):2: in function <access_by_lua(nginx-kong.conf:97):1>, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118"
2018/11/23 15:42:10 [error] 23700#0: *37365 [lua] responses.lua:121: access(): /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118"
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2

Then we tried to set set $session_secret '';" in /usr/local/kong/nginx-kong.conf file and restarted kong. But after restarting kong same property is getting deleted automatically. Hence we are getting same issue.

2018/11/23 15:42:07 [debug] 23699#0: *37353 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1542966130.61 to: 1542967927.558
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/23 15:42:10 [error] 23700#0: *37365 lua coroutine: runtime error: /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/lualib/resty/core/var.lua:114: in function '__newindex'
/usr/local/share/lua/5.1/kong/plugins/oidc/session.lua:11: in function 'configure'
/usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:19: in function </usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:14>
coroutine 1:
[C]: in function 'resume'
coroutine.wrap:21: in function coroutine.wrap:21
/usr/local/share/lua/5.1/kong/init.lua:468: in function 'access'
access_by_lua(nginx-kong.conf:97):2: in function <access_by_lua(nginx-kong.conf:97):1>, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118"
2018/11/23 15:42:10 [error] 23700#0: *37365 [lua] responses.lua:121: access(): /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first, client: 10.51.147.234, server: kong, request: "POST /imapi HTTP/1.1", host: "xx.xx.xx.xx:8118"
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/23 15:42:10 [debug] 23700#0: *37365 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
2

So we tried below scenario to set session_secret but all cases we received same error log .

1. a. Provided session_secret in plugin config.
2. b. tried to set as env variable export kong_session_secret=XX
3. c. Tried to set set $session_secret ''; in /usr/local/kong/nginx-kong.conf file
4. d. tried to set session_secret in /etc/kong/kong.conf file.
5. e. tried to set set_decode_base64 $session_secret 'XX'; in /usr/local/kong/nginx-kong.conf file

[Trojan295]

Can you provide details about:

• which Kong version are you using
• which plugin version are you using
• are you running Kong in HA or single node?

[ayan1207]

@Trojan295

Pfb details for your reference.

1. We are using kong 0.14.1 CE
2. We installed kong-oidc 1.1.0 as we use "luarocks install kong-oidc " command to install kong-oidc plugin as it was mention in installation step.
3. For development we are using single node, but in production we will be using HA Kong .

After giving decode value to session_secret in kong-oidc plugin that error goes away. Does it mean that we are successfully connected to adfs? Error.log below

018/11/26 16:04:33 [debug] 30516#0: *2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log

We have below question. Can you please help to get this clarified?

1. Does it support adfs 3.0?
2. What parameter (header parameter) users need to send to kong proxy when we enable kong-oidc plugin? Currently we are passing "Authorization: Basic <>" but getting failed. Not getting much info from error LOG. ( When we disable KONG-OIDC plugin upstream URL giving proper response. Looks like issue with kong-oidc plugin enable).

plugin config

{
"created_at": 1542966125000,
"config": {
"response_type": "code",
"realm": "kong",
"redirect_after_logout_uri": "/",
"scope": "openid",
"token_endpoint_auth_method": "client_secret_post",
"client_secret": "e8uYsjPbljp238tyJeHNWh72t33osS8jCQ6xyRUp",
"client_id": "30f547df-2bdd-4fc9-a4e7-7c21cadf6ec8",
"bearer_only": "no",
"logout_path": "/logout",
"ssl_verify": "no",
"discovery": "https://test.pocad.com/adfs/.well-known/openid-configuration",
"session_secret": "test@123"
}

Error.log

018/11/26 16:04:33 [debug] 30516#0: *2321 [lua] cluster_events.lua:222: [cluster_events] polling events from: 1543227998.025 to: 1543228473.506
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/11/26 16:04:35 [debug] 30514#0: *2333 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log

Not getting much info in this error. Could you please help us where we can check plugin related logs.

Below logs from SOAP-UI.

Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "POST /imapi HTTP/1.1[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Type: text/xml;charset=UTF-8[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "SOAPAction: "/IdentifierManager"[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Content-Length: 541[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Host: 10.144.20.240:8118[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iden="http://www.test.mycom.com/integration/services/common/IdentifierManagement/">[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " soapenv:Header/[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " soapenv:Body[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " <ns1:getTransactionRefNumber xmlns:ns1="http://www.test.mycom.com/integration/services/common/IdentifierManagement/">[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " NO[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " 10[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " [\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " </ns1:getTransactionRefNumber>[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> " </soapenv:Body>[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:>> "</soapenv:Envelope>"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "HTTP/1.1 500 Internal Server Error[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Date: Mon, 26 Nov 2018 12:10:12 GMT[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Content-Type: text/plain; charset=UTF-8[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Transfer-Encoding: chunked[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Connection: close[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "Server: kong/0.14.1[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "1d[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "An unexpected error occurred[\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "0[\r][\n]"
Mon Nov 26 17:40:10 IST 2018:DEBUG:<< "[\r][\n]"

Regards

[Trojan295]

The logs look good now. The header needs to be: "Authorization: Bearer <>".

I haven't tested this plugin against ADSF 3.0.

[ayan1207]

@Trojan295

we are not able to get response from upstream url after send Authorization: Bearer <>". But if we diable oidc plugin upstream url works fine. No error getting printed in error log.

Regards

[Trojan295]

You would need to set the config.introspection_endpoint, if you want to enable passing the token in the Authorization header directly.

[ayan1207]

@Trojan295

We are not trying to pass Authorization header directly to upstream api.

we are going As per your design diagram. We are not able to get the point where actually we stopped to reach to upstream Api. As per your previous comment kong and adfs connection is good.

Can you please help to get answer for below point?

1. Client application need to send authorization grant code to kong proxy ( which parameter client application need to send in header Authorization Code<<>> to kong proxy? )
2. Then kong will exchange grant for Access token and ID token with adfs (how we can make sure it is happening as there is no log?).
3. After getting Access token , kong will try to get x-userinfo from adfs using access token( not sure it is happening or not? as there is no enough log)
4. After getting x-userinfo from adfs , kong-oidc plugin will invoke upstream api and send response back to client.

---

Now client application is sending Authorization Code<<>> in header to kong proxy but they are getting below response where as upstream API is working fine.

**HTTP/1.1 500 Internal Server Error
Date: Mon, 17 Dec 2018 07:28:03 GMT
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Server: kong/0.14.1

An unexpected error occurred**

[ayan1207]

@Trojan295,

can you please update on this?

[littlechicks]

any news for this issue ?