Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Scope Validation is not working. Is a feature or dead code? #29

Open
filipeversehgi opened this issue Dec 7, 2022 · 5 comments
Open

Scope Validation is not working. Is a feature or dead code? #29

filipeversehgi opened this issue Dec 7, 2022 · 5 comments

Comments

@filipeversehgi
Copy link

filipeversehgi commented Dec 7, 2022
edited
Loading

From what I see here in handler.lua, it's possible to pass multiple scopes to the plugin configuration and asks it to validate if the returned token has these scopes, is that correct?

https://github.com/revomatico/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L126

But it seems that this code only supports 1 scope, not multiple scopes.

I was wondering if this is a hidden feature, or is just some dead code that was left behind. I would be interested in submiting a PR if that's welcome.
@ahhduy
Copy link

ahhduy commented Mar 15, 2023

I have same question.

@ruiengana
Copy link
Collaborator

Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.

@ahhduy
Copy link

ahhduy commented Mar 15, 2023
edited
Loading

Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.

Thank for your reply.

This is my config oidc:

{
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "config": {
    "realm": "kong",
    "redirect_after_logout_uri": "/",
    "unauth_action": "auth",
    "discovery": "http://192.168.11.11:8080/realms/kong/.well-known/openid-configuration",
    "recovery_page_path": null,
    "timeout": null,
    "response_type": "code",
    "use_jwks": "yes",
    "session_secret": null,
    "bearer_jwt_auth_signing_algs": [
      "RS256"
    ],
    "ssl_verify": "no",
    "client_secret": "3hE3tAofmFe28inrPe7AygsXf6fxmlLf",
    "redirect_uri": null,
    "header_names": [],
    "client_id": "kong_client",
    "filters": null,
    "skip_already_auth_requests": "no",
    "redirect_after_logout_with_id_token_hint": "no",
    "bearer_jwt_auth_allowed_auds": null,
    "validate_scope": "yes",
    "bearer_jwt_auth_enable": "no",
    "token_endpoint_auth_method": "client_secret_post",
    "introspection_cache_ignore": "no",
    "post_logout_redirect_uri": null,
    "groups_claim": "groups",
    "ignore_auth_filters": null,
    "header_claims": [],
    "disable_userinfo_header": "no",
    "id_token_header_name": "X-ID-Token",
    "userinfo_header_name": "X-USERINFO",
    "introspection_endpoint": "http://192.168.11.11:8080/realms/kong/protocol/openid-connect/token/introspect",
    "revoke_tokens_on_logout": "no",
    "scope": "openid",
    "bearer_only": "no",
    "disable_access_token_header": "no",
    "introspection_endpoint_auth_method": "client_secret_basic",
    "access_token_header_name": "X-Access-Token",
    "access_token_as_bearer": "no",
    "disable_id_token_header": "no",
    "logout_path": "/logout"
  },
  "tags": null,
  "enabled": true,
  "route": null,
  "name": "oidc",
  "created_at": 1678863921,
  "consumer": null,
  "id": "2cf01a39-4d0d-4c4f-8b9d-7a048594d4f6",
  "service": {
    "id": "34a0c1b0-1cac-4e9c-a09d-cf5e2a3eb7db"
  }
}

I visit the configured route in kong with browser i get redirected to keycloak to authenticate and after success i can see my endpoint (anyuser I created in keycloak can access this endpoint through the browser). But when I using this code to get access token and connect to endpoint I got error: {"message":"Forbidden"}

#!/bin/bash

auth_url='http://localhost:8080/'
realm_name='kong'
client_id='kong_client'
client_secret='3hE3tAofmFe28inrPe7AygsXf6fxmlLf'
username='duypa'
password='123456aA'
url='http://localhost:8000/httpbin2'

token=$(curl -X POST \
   "${auth_url}/realms/${realm_name}/protocol/openid-connect/token" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "client_id=${client_id}" \
   -d "client_secret=${client_secret}" \
   -d "username=${username}" \
   -d "password=${password}" \
   -d "grant_type=password" | jq -r '.access_token')
echo $token
curl -X GET \
   "${url}" \
   -H "Authorization: Bearer ${token}"

And after I check the access token, I don't see any value "openid" in scope. Maybe i made a mistake?
Note that if I change the config.scope same like jwt access_token i get and remove default config "openid". I can connect to the endpoint with that code normally. But in browser , I got error. Thank u for reply.

@ruiengana
Copy link
Collaborator

Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.

@ahhduy
Copy link

ahhduy commented Mar 16, 2023

Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.

I see. Thank you for your answer.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@filipeversehgi @ruiengana @ahhduy