Scope Validation is not working. Is a feature or dead code?

[filipeversehgi]

From what I see here in handler.lua, it's possible to pass multiple scopes to the plugin configuration and asks it to validate if the returned token has these scopes, is that correct?

https://github.com/revomatico/kong-oidc/blob/master/kong/plugins/oidc/handler.lua#L126

But it seems that this code only supports 1 scope, not multiple scopes.

I was wondering if this is a hidden feature, or is just some dead code that was left behind. I would be interested in submiting a PR if that's welcome.

[ahhduy]

I have same question.

[ruiengana]

Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.

[ahhduy]

Feature is working as expected. Please note it doesn't make sense to ask to validate 3 scopes for a single endpoint. You should review your API security practices.

Thank for your reply.

This is my config oidc:

{
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "config": {
    "realm": "kong",
    "redirect_after_logout_uri": "/",
    "unauth_action": "auth",
    "discovery": "http://192.168.11.11:8080/realms/kong/.well-known/openid-configuration",
    "recovery_page_path": null,
    "timeout": null,
    "response_type": "code",
    "use_jwks": "yes",
    "session_secret": null,
    "bearer_jwt_auth_signing_algs": [
      "RS256"
    ],
    "ssl_verify": "no",
    "client_secret": "3hE3tAofmFe28inrPe7AygsXf6fxmlLf",
    "redirect_uri": null,
    "header_names": [],
    "client_id": "kong_client",
    "filters": null,
    "skip_already_auth_requests": "no",
    "redirect_after_logout_with_id_token_hint": "no",
    "bearer_jwt_auth_allowed_auds": null,
    "validate_scope": "yes",
    "bearer_jwt_auth_enable": "no",
    "token_endpoint_auth_method": "client_secret_post",
    "introspection_cache_ignore": "no",
    "post_logout_redirect_uri": null,
    "groups_claim": "groups",
    "ignore_auth_filters": null,
    "header_claims": [],
    "disable_userinfo_header": "no",
    "id_token_header_name": "X-ID-Token",
    "userinfo_header_name": "X-USERINFO",
    "introspection_endpoint": "http://192.168.11.11:8080/realms/kong/protocol/openid-connect/token/introspect",
    "revoke_tokens_on_logout": "no",
    "scope": "openid",
    "bearer_only": "no",
    "disable_access_token_header": "no",
    "introspection_endpoint_auth_method": "client_secret_basic",
    "access_token_header_name": "X-Access-Token",
    "access_token_as_bearer": "no",
    "disable_id_token_header": "no",
    "logout_path": "/logout"
  },
  "tags": null,
  "enabled": true,
  "route": null,
  "name": "oidc",
  "created_at": 1678863921,
  "consumer": null,
  "id": "2cf01a39-4d0d-4c4f-8b9d-7a048594d4f6",
  "service": {
    "id": "34a0c1b0-1cac-4e9c-a09d-cf5e2a3eb7db"
  }
}

I visit the configured route in kong with browser i get redirected to keycloak to authenticate and after success i can see my endpoint (anyuser I created in keycloak can access this endpoint through the browser). But when I using this code to get access token and connect to endpoint I got error: {"message":"Forbidden"}

#!/bin/bash

auth_url='http://localhost:8080/'
realm_name='kong'
client_id='kong_client'
client_secret='3hE3tAofmFe28inrPe7AygsXf6fxmlLf'
username='duypa'
password='123456aA'
url='http://localhost:8000/httpbin2'

token=$(curl -X POST \
   "${auth_url}/realms/${realm_name}/protocol/openid-connect/token" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "client_id=${client_id}" \
   -d "client_secret=${client_secret}" \
   -d "username=${username}" \
   -d "password=${password}" \
   -d "grant_type=password" | jq -r '.access_token')
echo $token
curl -X GET \
   "${url}" \
   -H "Authorization: Bearer ${token}"

And after I check the access token, I don't see any value "openid" in scope. Maybe i made a mistake?
Note that if I change the config.scope same like jwt access_token i get and remove default config "openid". I can connect to the endpoint with that code normally. But in browser , I got error. Thank u for reply.

[ruiengana]

Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.

[ahhduy]

Scope validation is not intended to be used with OpenID scope, that's the whole purpose of the oidc plugin.

I see. Thank you for your answer.