1

i am looking forward to restricting user access based on scope. i am using Kong API gateway here is my docker file used for adding nokia-oidc plugin. https://github.com/nokia/kong-oidc

docker file :

FROM kong:latest  
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc  
USER kong

in token, i am getting scope like "openid profile email"

"session_state": "8d408ace-4692-458c-a7d0-69b19c1ded11",
  "acr": "0",
  "allowed-origins": [
    "*"
  ],
  "scope": "openid profile email",

i am looking how restrict used based on scope exist or not as openid is default one.

Selection_078

it's not working as expected. if myscope not exist in token still i am able to login.

please help thanks in advance...!

chagan
  • 179
  • 4
  • 15
  • I just wondering, in addition to what you do, did you set the validate scope on the oidc plugin to yes? – iceberg Mar 01 '22 at 10:46

2 Answers2

4

Harsh's answer is incomplete, install the JWT Plugin https://github.com/gbbirkisson/kong-plugin-jwt-keycloak

Next, make sure your that your oidc plugin is up to date, if you see this in /usr/local/share/lua/5.1/kong/plugins/oidc/utils.lua you should be fine

function M.injectAccessToken(accessToken)
  ngx.req.set_header("X-Access-Token", accessToken)
end

Okay, now the JWT plugin by default is not going to check for your X-Access-Token Header and it doesn't give you an option to edit it in the json configurations, you're going to have to edit the lua code.

Inside /usr/local/share/lua/5.1/kong/plugins/jwt-keycloak/handler.lua Add the following lines after the cookie_names check but before the autthorization_header check

local access_header = kong.request.get_header("X-Access-Token")
if access_header ~="" then
    kong.log("X-Access-Token ", access_header)
    return access_header
end

You should be good to go now

Woody
  • 125
  • 8
2

With OIDC plugin you won't be able to perform authentication however you can do authorization

You have to use plugin : https://github.com/gbbirkisson/kong-plugin-jwt-keycloak

Which will parse JWT token from internal header x-access-token and based on you can authenticate user via scope, realm role and client roles.

Use this docker to add plugin inside Kong

FROM kong:2.0.3-alpine

LABEL description="Alpine + Kong 2.0.3 + kong-oidc plugin"

ENV OIDC_PLUGIN_VERSION=1.1.0-0
ENV JWT_PLUGIN_VERSION=1.1.0-1

USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc

RUN git clone https://github.com/PSheshenya/kong-oidc.git \
    && cd kong-oidc \
    && luarocks make

RUN luarocks pack kong-oidc ${OIDC_PLUGIN_VERSION} \
     && luarocks install kong-oidc-${OIDC_PLUGIN_VERSION}.all.rock

RUN git clone --branch 20200505-access-token-processing https://github.com/BGaunitz/kong-plugin-jwt-keycloak.git \
    && cd kong-plugin-jwt-keycloak \
    && luarocks make

RUN luarocks pack kong-plugin-jwt-keycloak ${JWT_PLUGIN_VERSION} \
     && luarocks install kong-plugin-jwt-keycloak-${JWT_PLUGIN_VERSION}.all.rock

USER kong

you might also have to change JWT-Keyclaok plugin priority to 900 or less to start execution after OIDC plugin.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • 1
    Incase someone wants to set their priority via an environment variable, the handler.lua file in the JWT-Keycloak accepts the environment variable JWT_KEYCLOAK_PRIORITY. To do this in a dockerfile just: ENV JWT_KEYCLOAK_PRIORITY 900 – Woody May 20 '21 at 21:26