From b2506a2dff1ef505c9458c9fbc4ae61fc8fe6ba1 Mon Sep 17 00:00:00 2001 From: Aron Eidelman Date: Fri, 9 Aug 2019 13:53:06 -0700 Subject: [PATCH] docs(oidc) update from APIs to Services & Routes (#1404) * docs(oidc) update from APIs to Services / Routes * remove leftover closing bracket * make the step title less threatening * fix indentation and add closing bracket to sample * clarify sentence about redirection to URI * fix case typo * apply services/routes to previous versions --- app/_hub/kong-inc/openid-connect/0.32-x.md | 351 +++++++++------------ app/_hub/kong-inc/openid-connect/0.33-x.md | 351 +++++++++------------ app/_hub/kong-inc/openid-connect/0.34-x.md | 348 ++++++++------------ app/_hub/kong-inc/openid-connect/0.35-x.md | 348 ++++++++------------ app/_hub/kong-inc/openid-connect/index.md | 348 ++++++++------------ 5 files changed, 706 insertions(+), 1040 deletions(-) diff --git a/app/_hub/kong-inc/openid-connect/0.32-x.md b/app/_hub/kong-inc/openid-connect/0.32-x.md index 03973ec4199d..0452521595e9 100644 --- a/app/_hub/kong-inc/openid-connect/0.32-x.md +++ b/app/_hub/kong-inc/openid-connect/0.32-x.md @@ -1720,266 +1720,200 @@ that this usage example is for testing purposes and that you should not send confidential information to `httpbin.org` that is used here for illustrative purposes. -##### 1. Creating the API +#### 1. Creating a Service and Route -To create an API we execute the following command: +To create a Service, issue the following command: ```bash -$ http post :8001/apis \ +$ http post :8001/services \ name=openid-connect-demo \ - uris=/ \ - upstream_url=http://httpbin.org/anything -v -``` -```http -POST /apis HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 91 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 + url=http://httpbin.org/anything ``` + +The response should be structured like so: + ```json { - "name": "openid-connect-demo", - "upstream_url": "http://httpbin.org/anything", - "uris": "/" + "connect_timeout": 60000, + "created_at": 1535539722, + "host": "httpbin.org", + "id": "903978c9-2472-4a04-aff5-d9ba13821e64", + "name": "httpbin", + "path": "/anything", + "port": 80, + "protocol": "http", + "read_timeout": 60000, + "retries": 5, + "updated_at": 1535539722, + "write_timeout": 60000 } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:09:43 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +Then, to add a Route, issue the following command: + +```bash +$ http :8001/services/httpbin/routes paths:='["/"]' protocols:='["http"]' ``` + +The response should be structured like so: + ```json { - "created_at": 1502730583000, - "http_if_terminated": false, - "https_only": false, - "id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "name": "openid-connect-demo", - "preserve_host": false, - "retries": 5, - "strip_uri": true, - "upstream_connect_timeout": 60000, - "upstream_read_timeout": 60000, - "upstream_send_timeout": 60000, - "upstream_url": "http://httpbin.org/anything", - "uris": [ - "/" - ] + "created_at": 1536698521, + "hosts": null, + "id": "17b83376-b69d-4638-9b53-13184018eaf6", + "methods": null, + "paths": [ + "/" + ], + "preserve_host": false, + "protocols": [ + "http" + ], + "regex_priority": 0, + "service": { + "id": "903978c9-2472-4a04-aff5-d9ba13821e64" + }, + "strip_path": true, + "updated_at": 1536698521 } ``` -##### 2. Checking the API - -Check that the API works by issuing the following command: +Save the Route ID ```bash -$ http :8000 -v +$ export ROUTE_ID= +$ echo $ROUTE_ID ``` + +#### 2. Verify Response with and without Kong -And you should get output similar to this: +Verify that you can make a direct call to `http://httpbin.org/anything` _without_ proxying through Kong by issuing the following command: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` -```http -HTTP/1.1 200 OK -Access-Control-Allow-Credentials: true -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Length: 390 -Content-Type: application/json -Date: Mon, 14 Aug 2017 17:12:16 GMT -Server: meinheld/0.6.1 -Via: kong/0.10.3 -X-Kong-Proxy-Latency: 181 -X-Kong-Upstream-Latency: 828 -X-Powered-By: Flask -X-Processed-Time: 0.00134587287903 +```bash +$ http get http://httpbin.org/anything ``` + +The response should be `HTTP 200 OK` and appear like so: + ```json { - "args": {}, - "data": "", - "files": {}, - "form": {}, - "headers": { - "Accept": "*/*", - "Accept-Encoding": "gzip, deflate", - "Connection": "close", - "Host": "httpbin.org", - "User-Agent": "HTTPie/0.9.9", - "X-Forwarded-Host": "localhost" - }, - "json": null, - "method": "GET", - "origin": "127.0.0.1, 37.33.72.184", - "url": "http://localhost/anything" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9" + }, + "json": null, + "method": "GET", + "origin": "52.70.213.138", + "url": "http://httpbin.org/anything" } -``` -##### 3. Enabling the Plugin +``` -To enable `openid-connect` plugin for the API, -execute the following command (on production you -shouldn't disable SSL verification): +Verify that Kong successfully proxies through Kong by issuing the following command: ```bash -$ http post :8001/apis/openid-connect-demo/plugins \ - name=openid-connect \ - config.issuer= \ - config.client_id= \ - config.client_secret= \ - config.redirect_uri= \ - config.ssl_verify=false -v +$ http get 127.0.0.1:8000 ``` -On successful call you will get output similar to this: - -```http -POST /apis/openid-connect-demo/plugins HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 256 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 -``` +The response should be `HTTP 200 OK` and appear like so: + ```json { - "config.client_id": "ATdm9WUNmfGzdE0pyRApY66pnfHVJNMI", - "config.client_secret": "kaSFMAJSEQVlYl4Crvf4Sl9WIM0rP3gVxbhT3GAhPDTzRbzxKh3pxHnNWMhhRrcN", - "config.issuer": "https://kong-demo.eu.auth0.com/", - "config.ssl_verify": "false", - "name": "openid-connect" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "method": "GET", + "origin": "172.19.0.1, 23.96.32.228", + "url": "http://127.0.0.1/anything" } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:22:27 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +#### 3. Secure the Service with OIDC + +To enable the OIDC Plugin for the Service, execute the following +command, but note that SSL verification is disabled here for +testing purposes only: + +```bash +http post :8001/services/httpbin/plugins \ + name=openid-connect \ + config.issuer= \ + config.client_id= \ + config.client_secret= \ + config.redirect_uri= \ + config.ssl_verify=false -v ``` + +On successful `HTTP 200 OK`, the response will be similar to: + ```json { - "api_id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "config": { - "auth_methods": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "kong_oauth2", - "refresh_token", - "session" - ], - "client_id": [ - "" - ], - "client_secret": [ - "" - ], - "consumer_by": [ - "username", - "custom_id" - ], - "http_version": 1.1, - "id_token_param_type": [ - "query", - "header", - "body" - ], - "issuer": "", - "leeway": 0, - "login_action": "upstream", - "login_tokens": [ - "id_token" - ], - "response_mode": "query", - "reverify": false, - "scopes": [ - "openid" - ], - "ssl_verify": false, - "timeout": 10000, - "upstream_access_token_header": "authorization:bearer", - "verify_claims": true, - "verify_nonce": true, - "verify_parameters": true, - "verify_signature": true - }, - "created_at": 1502731347000, + "config": { + "audience_claim": [ + "aud" + ], + "client_id": [ + "kong" + ], + "client_secret": [ + "b8068d7d-d7bf-4b23-8724-881ee49bdbfd" + ], + "consumer_by": [ + "username", + "custom_id" + ], + "introspect_jwt_tokens": false, + "introspection_hint": "access_token", + "issuer": "http://ip10-0-0-3-bec2g5kmeb6ge43qmuc0-8080.direct.konglabs-s3.simplru.com/auth/realms/master", + "created_at": 1536700540000, "enabled": true, - "id": "4a91a0ef-1632-491d-a4e3-b8f98f75dcda", - "name": "openid-connect" + "id": "6836ba3c-12e0-4f2e-bdfd-88134eaa1786", + "name": "openid-connect", + "service_id": "903978c9-2472-4a04-aff5-d9ba13821e64" + } } ``` -##### 4. Try the API +#### 4. Verify that Authorization is Now Required + +Attempt the following command without authorization: ```bash -$ http :8000 -v +$ http get :8000/anything ``` -As you might have expected, it doesn't work anymore: +It will result in: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 ``` - -as it gives this redirect as a reply: - -```http -HTTP/1.1 302 Moved Temporarily -Connection: keep-alive -Content-Length: 167 -Content-Type: text/html -Date: Mon, 14 Aug 2017 17:24:59 GMT -Location: https:///authorize?scope=openid&client_id=&response_mode=query&state=y2J74-KJFzogFXEtWgwDzl-Y&nonce=J-Ylp3E4dIQIhgutGFo3JOOU&redirect_uri=&response_type=code -Server: kong/0.10.3 -Set-Cookie: authorization=; Path=/; HttpOnly -``` -``` - - 302 FoundDDD - -

302 Found

-
openresty/1.11.2.2
- - +HTTP 301 Moved Temporarily ``` Now, at this point you could try to open the page using a browser and see if you can go through the authorization code flow, and after that -get an reply from httpbin.org. Please check that your redirect uri is -correctly registered as the identity provider should redirect the -browser back to Kong url where this plugin is enabled (it can be the same -API or it can be different API). +get a reply from `httpbin.org`. Please check that your redirect URI parameter is +correctly set, since the identity provider should redirect the +user back to this URI once authentication is successful. (The URI can be the same +Service or a different one). -You could also try another ways, like for example password grant -(and please try other authentication methods as well): +You could also try another way; for example, password grant: ```bash $ http :8000 Authorization:"Basic :" @@ -2007,6 +1941,7 @@ $ http patch :8001/plugins/ And make an authenticated request again to see how this affects the request and response headers. + ### Compatibility The library behind these plugins have been tested with several OpenID diff --git a/app/_hub/kong-inc/openid-connect/0.33-x.md b/app/_hub/kong-inc/openid-connect/0.33-x.md index 8de3909d116a..7aacab5e1389 100644 --- a/app/_hub/kong-inc/openid-connect/0.33-x.md +++ b/app/_hub/kong-inc/openid-connect/0.33-x.md @@ -1710,266 +1710,200 @@ that this usage example is for testing purposes and that you should not send confidential information to `httpbin.org` that is used here for illustrative purposes. -#### 1. Creating the API +#### 1. Creating a Service and Route -To create an API we execute the following command: +To create a Service, issue the following command: ```bash -$ http post :8001/apis \ +$ http post :8001/services \ name=openid-connect-demo \ - uris=/ \ - upstream_url=http://httpbin.org/anything -v -``` -```http -POST /apis HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 91 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 + url=http://httpbin.org/anything ``` + +The response should be structured like so: + ```json { - "name": "openid-connect-demo", - "upstream_url": "http://httpbin.org/anything", - "uris": "/" + "connect_timeout": 60000, + "created_at": 1535539722, + "host": "httpbin.org", + "id": "903978c9-2472-4a04-aff5-d9ba13821e64", + "name": "httpbin", + "path": "/anything", + "port": 80, + "protocol": "http", + "read_timeout": 60000, + "retries": 5, + "updated_at": 1535539722, + "write_timeout": 60000 } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:09:43 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +Then, to add a Route, issue the following command: + +```bash +$ http :8001/services/httpbin/routes paths:='["/"]' protocols:='["http"]' ``` + +The response should be structured like so: + ```json { - "created_at": 1502730583000, - "http_if_terminated": false, - "https_only": false, - "id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "name": "openid-connect-demo", - "preserve_host": false, - "retries": 5, - "strip_uri": true, - "upstream_connect_timeout": 60000, - "upstream_read_timeout": 60000, - "upstream_send_timeout": 60000, - "upstream_url": "http://httpbin.org/anything", - "uris": [ - "/" - ] + "created_at": 1536698521, + "hosts": null, + "id": "17b83376-b69d-4638-9b53-13184018eaf6", + "methods": null, + "paths": [ + "/" + ], + "preserve_host": false, + "protocols": [ + "http" + ], + "regex_priority": 0, + "service": { + "id": "903978c9-2472-4a04-aff5-d9ba13821e64" + }, + "strip_path": true, + "updated_at": 1536698521 } ``` -#### 2. Checking the API - -Check that the API works by issuing the following command: +Save the Route ID ```bash -$ http :8000 -v +$ export ROUTE_ID= +$ echo $ROUTE_ID ``` + +#### 2. Verify Response with and without Kong -And you should get output similar to this: +Verify that you can make a direct call to `http://httpbin.org/anything` _without_ proxying through Kong by issuing the following command: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` -```http -HTTP/1.1 200 OK -Access-Control-Allow-Credentials: true -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Length: 390 -Content-Type: application/json -Date: Mon, 14 Aug 2017 17:12:16 GMT -Server: meinheld/0.6.1 -Via: kong/0.10.3 -X-Kong-Proxy-Latency: 181 -X-Kong-Upstream-Latency: 828 -X-Powered-By: Flask -X-Processed-Time: 0.00134587287903 +```bash +$ http get http://httpbin.org/anything ``` + +The response should be `HTTP 200 OK` and appear like so: + ```json { - "args": {}, - "data": "", - "files": {}, - "form": {}, - "headers": { - "Accept": "*/*", - "Accept-Encoding": "gzip, deflate", - "Connection": "close", - "Host": "httpbin.org", - "User-Agent": "HTTPie/0.9.9", - "X-Forwarded-Host": "localhost" - }, - "json": null, - "method": "GET", - "origin": "127.0.0.1, 37.33.72.184", - "url": "http://localhost/anything" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9" + }, + "json": null, + "method": "GET", + "origin": "52.70.213.138", + "url": "http://httpbin.org/anything" } -``` -#### 3. Enabling the Plugin +``` -To enable `openid-connect` plugin for the API, -execute the following command (on production you -shouldn't disable SSL verification): +Verify that Kong successfully proxies through Kong by issuing the following command: ```bash -$ http post :8001/apis/openid-connect-demo/plugins \ - name=openid-connect \ - config.issuer= \ - config.client_id= \ - config.client_secret= \ - config.redirect_uri= \ - config.ssl_verify=false -v +$ http get 127.0.0.1:8000 ``` -On successful call you will get output similar to this: - -```http -POST /apis/openid-connect-demo/plugins HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 256 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 -``` +The response should be `HTTP 200 OK` and appear like so: + ```json { - "config.client_id": "ATdm9WUNmfGzdE0pyRApY66pnfHVJNMI", - "config.client_secret": "kaSFMAJSEQVlYl4Crvf4Sl9WIM0rP3gVxbhT3GAhPDTzRbzxKh3pxHnNWMhhRrcN", - "config.issuer": "https://kong-demo.eu.auth0.com/", - "config.ssl_verify": "false", - "name": "openid-connect" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "method": "GET", + "origin": "172.19.0.1, 23.96.32.228", + "url": "http://127.0.0.1/anything" } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:22:27 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +#### 3. Secure the Service with OIDC + +To enable the OIDC Plugin for the Service, execute the following +command, but note that SSL verification is disabled here for +testing purposes only: + +```bash +http post :8001/services/httpbin/plugins \ + name=openid-connect \ + config.issuer= \ + config.client_id= \ + config.client_secret= \ + config.redirect_uri= \ + config.ssl_verify=false -v ``` + +On successful `HTTP 200 OK`, the response will be similar to: + ```json { - "api_id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "config": { - "auth_methods": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "kong_oauth2", - "refresh_token", - "session" - ], - "client_id": [ - "" - ], - "client_secret": [ - "" - ], - "consumer_by": [ - "username", - "custom_id" - ], - "http_version": 1.1, - "id_token_param_type": [ - "query", - "header", - "body" - ], - "issuer": "", - "leeway": 0, - "login_action": "upstream", - "login_tokens": [ - "id_token" - ], - "response_mode": "query", - "reverify": false, - "scopes": [ - "openid" - ], - "ssl_verify": false, - "timeout": 10000, - "upstream_access_token_header": "authorization:bearer", - "verify_claims": true, - "verify_nonce": true, - "verify_parameters": true, - "verify_signature": true - }, - "created_at": 1502731347000, + "config": { + "audience_claim": [ + "aud" + ], + "client_id": [ + "kong" + ], + "client_secret": [ + "b8068d7d-d7bf-4b23-8724-881ee49bdbfd" + ], + "consumer_by": [ + "username", + "custom_id" + ], + "introspect_jwt_tokens": false, + "introspection_hint": "access_token", + "issuer": "http://ip10-0-0-3-bec2g5kmeb6ge43qmuc0-8080.direct.konglabs-s3.simplru.com/auth/realms/master", + "created_at": 1536700540000, "enabled": true, - "id": "4a91a0ef-1632-491d-a4e3-b8f98f75dcda", - "name": "openid-connect" + "id": "6836ba3c-12e0-4f2e-bdfd-88134eaa1786", + "name": "openid-connect", + "service_id": "903978c9-2472-4a04-aff5-d9ba13821e64" + } } ``` -#### 4. Try the API +#### 4. Verify that Authorization is Now Required + +Attempt the following command without authorization: ```bash -$ http :8000 -v +$ http get :8000/anything ``` -As you might have expected, it doesn't work anymore: +It will result in: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 ``` - -as it gives this redirect as a reply: - -```http -HTTP/1.1 302 Moved Temporarily -Connection: keep-alive -Content-Length: 167 -Content-Type: text/html -Date: Mon, 14 Aug 2017 17:24:59 GMT -Location: https:///authorize?scope=openid&client_id=&response_mode=query&state=y2J74-KJFzogFXEtWgwDzl-Y&nonce=J-Ylp3E4dIQIhgutGFo3JOOU&redirect_uri=&response_type=code -Server: kong/0.10.3 -Set-Cookie: authorization=; Path=/; HttpOnly -``` -```html - - 302 Found - -

302 Found

-
openresty/1.11.2.2
- - +HTTP 301 Moved Temporarily ``` Now, at this point you could try to open the page using a browser and see if you can go through the authorization code flow, and after that -get an reply from httpbin.org. Please check that your redirect uri is -correctly registered as the identity provider should redirect the -browser back to Kong url where this plugin is enabled (it can be the same -API or it can be different API). +get a reply from `httpbin.org`. Please check that your redirect URI parameter is +correctly set, since the identity provider should redirect the +user back to this URI once authentication is successful. (The URI can be the same +Service or a different one). -You could also try another ways, like for example password grant -(and please try other authentication methods as well): +You could also try another way; for example, password grant: ```bash $ http :8000 Authorization:"Basic :" @@ -1997,6 +1931,7 @@ $ http patch :8001/plugins/ And make an authenticated request again to see how this affects the request and response headers. + ## Compatibility The library behind these plugins have been tested with several OpenID diff --git a/app/_hub/kong-inc/openid-connect/0.34-x.md b/app/_hub/kong-inc/openid-connect/0.34-x.md index 9ab15b7edcdc..2b21b67aaee8 100644 --- a/app/_hub/kong-inc/openid-connect/0.34-x.md +++ b/app/_hub/kong-inc/openid-connect/0.34-x.md @@ -2313,268 +2313,200 @@ not send confidential information to `httpbin.org` that is used here for illustrative purposes. -#### 1. Creating the API +#### 1. Creating a Service and Route -To create an API we execute the following command: +To create a Service, issue the following command: ```bash -$ http post :8001/apis \ +$ http post :8001/services \ name=openid-connect-demo \ - uris=/ \ - upstream_url=http://httpbin.org/anything -v -``` -```http -POST /apis HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 91 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 + url=http://httpbin.org/anything ``` + +The response should be structured like so: + ```json { - "name": "openid-connect-demo", - "upstream_url": "http://httpbin.org/anything", - "uris": "/" + "connect_timeout": 60000, + "created_at": 1535539722, + "host": "httpbin.org", + "id": "903978c9-2472-4a04-aff5-d9ba13821e64", + "name": "httpbin", + "path": "/anything", + "port": 80, + "protocol": "http", + "read_timeout": 60000, + "retries": 5, + "updated_at": 1535539722, + "write_timeout": 60000 } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:09:43 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +Then, to add a Route, issue the following command: + +```bash +$ http :8001/services/httpbin/routes paths:='["/"]' protocols:='["http"]' ``` + +The response should be structured like so: + ```json { - "created_at": 1502730583000, - "http_if_terminated": false, - "https_only": false, - "id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "name": "openid-connect-demo", - "preserve_host": false, - "retries": 5, - "strip_uri": true, - "upstream_connect_timeout": 60000, - "upstream_read_timeout": 60000, - "upstream_send_timeout": 60000, - "upstream_url": "http://httpbin.org/anything", - "uris": [ - "/" - ] + "created_at": 1536698521, + "hosts": null, + "id": "17b83376-b69d-4638-9b53-13184018eaf6", + "methods": null, + "paths": [ + "/" + ], + "preserve_host": false, + "protocols": [ + "http" + ], + "regex_priority": 0, + "service": { + "id": "903978c9-2472-4a04-aff5-d9ba13821e64" + }, + "strip_path": true, + "updated_at": 1536698521 } ``` +Save the Route ID -#### 2. Checking the API +```bash +$ export ROUTE_ID= +$ echo $ROUTE_ID +``` + +#### 2. Verify Response with and without Kong -Check that the API works by issuing the following command: +Verify that you can make a direct call to `http://httpbin.org/anything` _without_ proxying through Kong by issuing the following command: ```bash -$ http :8000 -v +$ http get http://httpbin.org/anything ``` -And you should get output similar to this: +The response should be `HTTP 200 OK` and appear like so: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` -```http -HTTP/1.1 200 OK -Access-Control-Allow-Credentials: true -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Length: 390 -Content-Type: application/json -Date: Mon, 14 Aug 2017 17:12:16 GMT -Server: meinheld/0.6.1 -Via: kong/0.10.3 -X-Kong-Proxy-Latency: 181 -X-Kong-Upstream-Latency: 828 -X-Powered-By: Flask -X-Processed-Time: 0.00134587287903 -``` ```json { - "args": {}, - "data": "", - "files": {}, - "form": {}, - "headers": { - "Accept": "*/*", - "Accept-Encoding": "gzip, deflate", - "Connection": "close", - "Host": "httpbin.org", - "User-Agent": "HTTPie/0.9.9", - "X-Forwarded-Host": "localhost" - }, - "json": null, - "method": "GET", - "origin": "127.0.0.1, 37.33.72.184", - "url": "http://localhost/anything" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9" + }, + "json": null, + "method": "GET", + "origin": "52.70.213.138", + "url": "http://httpbin.org/anything" } -``` +``` -#### 3. Enabling the Plugin - -To enable `openid-connect` plugin for the API, -execute the following command (on production you -shouldn't disable SSL verification): +Verify that Kong successfully proxies through Kong by issuing the following command: ```bash -$ http post :8001/apis/openid-connect-demo/plugins \ - name=openid-connect \ - config.issuer= \ - config.client_id= \ - config.client_secret= \ - config.redirect_uri= \ - config.ssl_verify=false -v +$ http get 127.0.0.1:8000 ``` -On successful call you will get output similar to this: - -```http -POST /apis/openid-connect-demo/plugins HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 256 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 -``` +The response should be `HTTP 200 OK` and appear like so: + ```json { - "config.client_id": "ATdm9WUNmfGzdE0pyRApY66pnfHVJNMI", - "config.client_secret": "kaSFMAJSEQVlYl4Crvf4Sl9WIM0rP3gVxbhT3GAhPDTzRbzxKh3pxHnNWMhhRrcN", - "config.issuer": "https://kong-demo.eu.auth0.com/", - "config.ssl_verify": "false", - "name": "openid-connect" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "method": "GET", + "origin": "172.19.0.1, 23.96.32.228", + "url": "http://127.0.0.1/anything" } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:22:27 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +#### 3. Secure the Service with OIDC + +To enable the OIDC Plugin for the Service, execute the following +command, but note that SSL verification is disabled here for +testing purposes only: + +```bash +http post :8001/services/httpbin/plugins \ + name=openid-connect \ + config.issuer= \ + config.client_id= \ + config.client_secret= \ + config.redirect_uri= \ + config.ssl_verify=false -v ``` + +On successful `HTTP 200 OK`, the response will be similar to: + ```json { - "api_id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "config": { - "auth_methods": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "kong_oauth2", - "refresh_token", - "session" - ], - "client_id": [ - "" - ], - "client_secret": [ - "" - ], - "consumer_by": [ - "username", - "custom_id" - ], - "http_version": 1.1, - "id_token_param_type": [ - "query", - "header", - "body" - ], - "issuer": "", - "leeway": 0, - "login_action": "upstream", - "login_tokens": [ - "id_token" - ], - "response_mode": "query", - "reverify": false, - "scopes": [ - "openid" - ], - "ssl_verify": false, - "timeout": 10000, - "upstream_access_token_header": "authorization:bearer", - "verify_claims": true, - "verify_nonce": true, - "verify_parameters": true, - "verify_signature": true - }, - "created_at": 1502731347000, + "config": { + "audience_claim": [ + "aud" + ], + "client_id": [ + "kong" + ], + "client_secret": [ + "b8068d7d-d7bf-4b23-8724-881ee49bdbfd" + ], + "consumer_by": [ + "username", + "custom_id" + ], + "introspect_jwt_tokens": false, + "introspection_hint": "access_token", + "issuer": "http://ip10-0-0-3-bec2g5kmeb6ge43qmuc0-8080.direct.konglabs-s3.simplru.com/auth/realms/master", + "created_at": 1536700540000, "enabled": true, - "id": "4a91a0ef-1632-491d-a4e3-b8f98f75dcda", - "name": "openid-connect" + "id": "6836ba3c-12e0-4f2e-bdfd-88134eaa1786", + "name": "openid-connect", + "service_id": "903978c9-2472-4a04-aff5-d9ba13821e64" + } } ``` +#### 4. Verify that Authorization is Now Required -#### 4. Try the API +Attempt the following command without authorization: ```bash -$ http :8000 -v +$ http get :8000/anything ``` -As you might have expected, it doesn't work anymore: - -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` +It will result in: -as it gives this redirect as a reply: - -```http -HTTP/1.1 302 Moved Temporarily -Connection: keep-alive -Content-Length: 167 -Content-Type: text/html -Date: Mon, 14 Aug 2017 17:24:59 GMT -Location: https:///authorize?scope=openid&client_id=&response_mode=query&state=y2J74-KJFzogFXEtWgwDzl-Y&nonce=J-Ylp3E4dIQIhgutGFo3JOOU&redirect_uri=&response_type=code -Server: kong/0.10.3 -Set-Cookie: authorization=; Path=/; HttpOnly ``` -```html - - 302 Found - -

302 Found

- - +HTTP 301 Moved Temporarily ``` Now, at this point you could try to open the page using a browser and see if you can go through the authorization code flow, and after that -get an reply from httpbin.org. Please check that your redirect uri is -correctly registered as the identity provider should redirect the -browser back to Kong url where this plugin is enabled (it can be the same -API or it can be different API). +get a reply from `httpbin.org`. Please check that your redirect URI parameter is +correctly set, since the identity provider should redirect the +user back to this URI once authentication is successful. (The URI can be the same +Service or a different one). -You could also try another ways, like for example password grant -(and please try other authentication methods as well): +You could also try another way; for example, password grant: ```bash $ http :8000 Authorization:"Basic :" diff --git a/app/_hub/kong-inc/openid-connect/0.35-x.md b/app/_hub/kong-inc/openid-connect/0.35-x.md index 70b325a08476..b5ea199c9686 100644 --- a/app/_hub/kong-inc/openid-connect/0.35-x.md +++ b/app/_hub/kong-inc/openid-connect/0.35-x.md @@ -2314,268 +2314,200 @@ not send confidential information to `httpbin.org` that is used here for illustrative purposes. -#### 1. Creating the API +#### 1. Creating a Service and Route -To create an API we execute the following command: +To create a Service, issue the following command: ```bash -$ http post :8001/apis \ +$ http post :8001/services \ name=openid-connect-demo \ - uris=/ \ - upstream_url=http://httpbin.org/anything -v -``` -```http -POST /apis HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 91 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 + url=http://httpbin.org/anything ``` + +The response should be structured like so: + ```json { - "name": "openid-connect-demo", - "upstream_url": "http://httpbin.org/anything", - "uris": "/" + "connect_timeout": 60000, + "created_at": 1535539722, + "host": "httpbin.org", + "id": "903978c9-2472-4a04-aff5-d9ba13821e64", + "name": "httpbin", + "path": "/anything", + "port": 80, + "protocol": "http", + "read_timeout": 60000, + "retries": 5, + "updated_at": 1535539722, + "write_timeout": 60000 } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:09:43 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +Then, to add a Route, issue the following command: + +```bash +$ http :8001/services/httpbin/routes paths:='["/"]' protocols:='["http"]' ``` + +The response should be structured like so: + ```json { - "created_at": 1502730583000, - "http_if_terminated": false, - "https_only": false, - "id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "name": "openid-connect-demo", - "preserve_host": false, - "retries": 5, - "strip_uri": true, - "upstream_connect_timeout": 60000, - "upstream_read_timeout": 60000, - "upstream_send_timeout": 60000, - "upstream_url": "http://httpbin.org/anything", - "uris": [ - "/" - ] + "created_at": 1536698521, + "hosts": null, + "id": "17b83376-b69d-4638-9b53-13184018eaf6", + "methods": null, + "paths": [ + "/" + ], + "preserve_host": false, + "protocols": [ + "http" + ], + "regex_priority": 0, + "service": { + "id": "903978c9-2472-4a04-aff5-d9ba13821e64" + }, + "strip_path": true, + "updated_at": 1536698521 } ``` +Save the Route ID -#### 2. Checking the API +```bash +$ export ROUTE_ID= +$ echo $ROUTE_ID +``` + +#### 2. Verify Response with and without Kong -Check that the API works by issuing the following command: +Verify that you can make a direct call to `http://httpbin.org/anything` _without_ proxying through Kong by issuing the following command: ```bash -$ http :8000 -v +$ http get http://httpbin.org/anything ``` -And you should get output similar to this: +The response should be `HTTP 200 OK` and appear like so: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` -```http -HTTP/1.1 200 OK -Access-Control-Allow-Credentials: true -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Length: 390 -Content-Type: application/json -Date: Mon, 14 Aug 2017 17:12:16 GMT -Server: meinheld/0.6.1 -Via: kong/0.10.3 -X-Kong-Proxy-Latency: 181 -X-Kong-Upstream-Latency: 828 -X-Powered-By: Flask -X-Processed-Time: 0.00134587287903 -``` ```json { - "args": {}, - "data": "", - "files": {}, - "form": {}, - "headers": { - "Accept": "*/*", - "Accept-Encoding": "gzip, deflate", - "Connection": "close", - "Host": "httpbin.org", - "User-Agent": "HTTPie/0.9.9", - "X-Forwarded-Host": "localhost" - }, - "json": null, - "method": "GET", - "origin": "127.0.0.1, 37.33.72.184", - "url": "http://localhost/anything" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9" + }, + "json": null, + "method": "GET", + "origin": "52.70.213.138", + "url": "http://httpbin.org/anything" } -``` +``` -#### 3. Enabling the Plugin - -To enable `openid-connect` plugin for the API, -execute the following command (on production you -shouldn't disable SSL verification): +Verify that Kong successfully proxies through Kong by issuing the following command: ```bash -$ http post :8001/apis/openid-connect-demo/plugins \ - name=openid-connect \ - config.issuer= \ - config.client_id= \ - config.client_secret= \ - config.redirect_uri= \ - config.ssl_verify=false -v +$ http get 127.0.0.1:8000 ``` -On successful call you will get output similar to this: - -```http -POST /apis/openid-connect-demo/plugins HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 256 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 -``` +The response should be `HTTP 200 OK` and appear like so: + ```json { - "config.client_id": "ATdm9WUNmfGzdE0pyRApY66pnfHVJNMI", - "config.client_secret": "kaSFMAJSEQVlYl4Crvf4Sl9WIM0rP3gVxbhT3GAhPDTzRbzxKh3pxHnNWMhhRrcN", - "config.issuer": "https://kong-demo.eu.auth0.com/", - "config.ssl_verify": "false", - "name": "openid-connect" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "method": "GET", + "origin": "172.19.0.1, 23.96.32.228", + "url": "http://127.0.0.1/anything" } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:22:27 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +#### 3. Secure the Service with OIDC + +To enable the OIDC Plugin for the Service, execute the following +command, but note that SSL verification is disabled here for +testing purposes only: + +```bash +http post :8001/services/httpbin/plugins \ + name=openid-connect \ + config.issuer= \ + config.client_id= \ + config.client_secret= \ + config.redirect_uri= \ + config.ssl_verify=false -v ``` + +On successful `HTTP 200 OK`, the response will be similar to: + ```json { - "api_id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "config": { - "auth_methods": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "kong_oauth2", - "refresh_token", - "session" - ], - "client_id": [ - "" - ], - "client_secret": [ - "" - ], - "consumer_by": [ - "username", - "custom_id" - ], - "http_version": 1.1, - "id_token_param_type": [ - "query", - "header", - "body" - ], - "issuer": "", - "leeway": 0, - "login_action": "upstream", - "login_tokens": [ - "id_token" - ], - "response_mode": "query", - "reverify": false, - "scopes": [ - "openid" - ], - "ssl_verify": false, - "timeout": 10000, - "upstream_access_token_header": "authorization:bearer", - "verify_claims": true, - "verify_nonce": true, - "verify_parameters": true, - "verify_signature": true - }, - "created_at": 1502731347000, + "config": { + "audience_claim": [ + "aud" + ], + "client_id": [ + "kong" + ], + "client_secret": [ + "b8068d7d-d7bf-4b23-8724-881ee49bdbfd" + ], + "consumer_by": [ + "username", + "custom_id" + ], + "introspect_jwt_tokens": false, + "introspection_hint": "access_token", + "issuer": "http://ip10-0-0-3-bec2g5kmeb6ge43qmuc0-8080.direct.konglabs-s3.simplru.com/auth/realms/master", + "created_at": 1536700540000, "enabled": true, - "id": "4a91a0ef-1632-491d-a4e3-b8f98f75dcda", - "name": "openid-connect" + "id": "6836ba3c-12e0-4f2e-bdfd-88134eaa1786", + "name": "openid-connect", + "service_id": "903978c9-2472-4a04-aff5-d9ba13821e64" + } } ``` +#### 4. Verify that Authorization is Now Required -#### 4. Try the API +Attempt the following command without authorization: ```bash -$ http :8000 -v +$ http get :8000/anything ``` -As you might have expected, it doesn't work anymore: - -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` +It will result in: -as it gives this redirect as a reply: - -```http -HTTP/1.1 302 Moved Temporarily -Connection: keep-alive -Content-Length: 167 -Content-Type: text/html -Date: Mon, 14 Aug 2017 17:24:59 GMT -Location: https:///authorize?scope=openid&client_id=&response_mode=query&state=y2J74-KJFzogFXEtWgwDzl-Y&nonce=J-Ylp3E4dIQIhgutGFo3JOOU&redirect_uri=&response_type=code -Server: kong/0.10.3 -Set-Cookie: authorization=; Path=/; HttpOnly ``` -```html - - 302 Found - -

302 Found

- - +HTTP 301 Moved Temporarily ``` Now, at this point you could try to open the page using a browser and see if you can go through the authorization code flow, and after that -get an reply from httpbin.org. Please check that your redirect uri is -correctly registered as the identity provider should redirect the -browser back to Kong url where this plugin is enabled (it can be the same -API or it can be different API). +get a reply from `httpbin.org`. Please check that your redirect URI parameter is +correctly set, since the identity provider should redirect the +user back to this URI once authentication is successful. (The URI can be the same +Service or a different one). -You could also try another ways, like for example password grant -(and please try other authentication methods as well): +You could also try another way; for example, password grant: ```bash $ http :8000 Authorization:"Basic :" diff --git a/app/_hub/kong-inc/openid-connect/index.md b/app/_hub/kong-inc/openid-connect/index.md index 55f34d432b24..8b6108de1c1a 100644 --- a/app/_hub/kong-inc/openid-connect/index.md +++ b/app/_hub/kong-inc/openid-connect/index.md @@ -2315,268 +2315,200 @@ not send confidential information to `httpbin.org` that is used here for illustrative purposes. -#### 1. Creating the API +#### 1. Creating a Service and Route -To create an API we execute the following command: +To create a Service, issue the following command: ```bash -$ http post :8001/apis \ +$ http post :8001/services \ name=openid-connect-demo \ - uris=/ \ - upstream_url=http://httpbin.org/anything -v -``` -```http -POST /apis HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 91 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 + url=http://httpbin.org/anything ``` + +The response should be structured like so: + ```json { - "name": "openid-connect-demo", - "upstream_url": "http://httpbin.org/anything", - "uris": "/" + "connect_timeout": 60000, + "created_at": 1535539722, + "host": "httpbin.org", + "id": "903978c9-2472-4a04-aff5-d9ba13821e64", + "name": "httpbin", + "path": "/anything", + "port": 80, + "protocol": "http", + "read_timeout": 60000, + "retries": 5, + "updated_at": 1535539722, + "write_timeout": 60000 } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:09:43 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +Then, to add a Route, issue the following command: + +```bash +$ http :8001/services/httpbin/routes paths:='["/"]' protocols:='["http"]' ``` + +The response should be structured like so: + ```json { - "created_at": 1502730583000, - "http_if_terminated": false, - "https_only": false, - "id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "name": "openid-connect-demo", - "preserve_host": false, - "retries": 5, - "strip_uri": true, - "upstream_connect_timeout": 60000, - "upstream_read_timeout": 60000, - "upstream_send_timeout": 60000, - "upstream_url": "http://httpbin.org/anything", - "uris": [ - "/" - ] + "created_at": 1536698521, + "hosts": null, + "id": "17b83376-b69d-4638-9b53-13184018eaf6", + "methods": null, + "paths": [ + "/" + ], + "preserve_host": false, + "protocols": [ + "http" + ], + "regex_priority": 0, + "service": { + "id": "903978c9-2472-4a04-aff5-d9ba13821e64" + }, + "strip_path": true, + "updated_at": 1536698521 } ``` +Save the Route ID -#### 2. Checking the API +```bash +$ export ROUTE_ID= +$ echo $ROUTE_ID +``` + +#### 2. Verify Response with and without Kong -Check that the API works by issuing the following command: +Verify that you can make a direct call to `http://httpbin.org/anything` _without_ proxying through Kong by issuing the following command: ```bash -$ http :8000 -v +$ http get http://httpbin.org/anything ``` -And you should get output similar to this: +The response should be `HTTP 200 OK` and appear like so: -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` -```http -HTTP/1.1 200 OK -Access-Control-Allow-Credentials: true -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Length: 390 -Content-Type: application/json -Date: Mon, 14 Aug 2017 17:12:16 GMT -Server: meinheld/0.6.1 -Via: kong/0.10.3 -X-Kong-Proxy-Latency: 181 -X-Kong-Upstream-Latency: 828 -X-Powered-By: Flask -X-Processed-Time: 0.00134587287903 -``` ```json { - "args": {}, - "data": "", - "files": {}, - "form": {}, - "headers": { - "Accept": "*/*", - "Accept-Encoding": "gzip, deflate", - "Connection": "close", - "Host": "httpbin.org", - "User-Agent": "HTTPie/0.9.9", - "X-Forwarded-Host": "localhost" - }, - "json": null, - "method": "GET", - "origin": "127.0.0.1, 37.33.72.184", - "url": "http://localhost/anything" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9" + }, + "json": null, + "method": "GET", + "origin": "52.70.213.138", + "url": "http://httpbin.org/anything" } -``` +``` -#### 3. Enabling the Plugin - -To enable `openid-connect` plugin for the API, -execute the following command (on production you -shouldn't disable SSL verification): +Verify that Kong successfully proxies through Kong by issuing the following command: ```bash -$ http post :8001/apis/openid-connect-demo/plugins \ - name=openid-connect \ - config.issuer= \ - config.client_id= \ - config.client_secret= \ - config.redirect_uri= \ - config.ssl_verify=false -v +$ http get 127.0.0.1:8000 ``` -On successful call you will get output similar to this: - -```http -POST /apis/openid-connect-demo/plugins HTTP/1.1 -Accept: application/json, */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Content-Length: 256 -Content-Type: application/json -Host: localhost:8001 -User-Agent: HTTPie/0.9.9 -``` +The response should be `HTTP 200 OK` and appear like so: + ```json { - "config.client_id": "ATdm9WUNmfGzdE0pyRApY66pnfHVJNMI", - "config.client_secret": "kaSFMAJSEQVlYl4Crvf4Sl9WIM0rP3gVxbhT3GAhPDTzRbzxKh3pxHnNWMhhRrcN", - "config.issuer": "https://kong-demo.eu.auth0.com/", - "config.ssl_verify": "false", - "name": "openid-connect" + "args": {}, + "data": "", + "files": {}, + "form": {}, + "headers": { + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Host": "httpbin.org", + "User-Agent": "HTTPie/0.9.9", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "method": "GET", + "origin": "172.19.0.1, 23.96.32.228", + "url": "http://127.0.0.1/anything" } ``` -```http -HTTP/1.1 201 Created -Access-Control-Allow-Origin: * -Connection: keep-alive -Content-Type: application/json; charset=utf-8 -Date: Mon, 14 Aug 2017 17:22:27 GMT -Server: kong/0.10.3 -Transfer-Encoding: chunked + +#### 3. Secure the Service with OIDC + +To enable the OIDC Plugin for the Service, execute the following +command, but note that SSL verification is disabled here for +testing purposes only: + +```bash +http post :8001/services/httpbin/plugins \ + name=openid-connect \ + config.issuer= \ + config.client_id= \ + config.client_secret= \ + config.redirect_uri= \ + config.ssl_verify=false -v ``` + +On successful `HTTP 200 OK`, the response will be similar to: + ```json { - "api_id": "f5331dd8-4dc8-4272-8537-199598e660ad", - "config": { - "auth_methods": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "kong_oauth2", - "refresh_token", - "session" - ], - "client_id": [ - "" - ], - "client_secret": [ - "" - ], - "consumer_by": [ - "username", - "custom_id" - ], - "http_version": 1.1, - "id_token_param_type": [ - "query", - "header", - "body" - ], - "issuer": "", - "leeway": 0, - "login_action": "upstream", - "login_tokens": [ - "id_token" - ], - "response_mode": "query", - "reverify": false, - "scopes": [ - "openid" - ], - "ssl_verify": false, - "timeout": 10000, - "upstream_access_token_header": "authorization:bearer", - "verify_claims": true, - "verify_nonce": true, - "verify_parameters": true, - "verify_signature": true - }, - "created_at": 1502731347000, + "config": { + "audience_claim": [ + "aud" + ], + "client_id": [ + "kong" + ], + "client_secret": [ + "b8068d7d-d7bf-4b23-8724-881ee49bdbfd" + ], + "consumer_by": [ + "username", + "custom_id" + ], + "introspect_jwt_tokens": false, + "introspection_hint": "access_token", + "issuer": "http://ip10-0-0-3-bec2g5kmeb6ge43qmuc0-8080.direct.konglabs-s3.simplru.com/auth/realms/master", + "created_at": 1536700540000, "enabled": true, - "id": "4a91a0ef-1632-491d-a4e3-b8f98f75dcda", - "name": "openid-connect" + "id": "6836ba3c-12e0-4f2e-bdfd-88134eaa1786", + "name": "openid-connect", + "service_id": "903978c9-2472-4a04-aff5-d9ba13821e64" + } } ``` +#### 4. Verify that Authorization is Now Required -#### 4. Try the API +Attempt the following command without authorization: ```bash -$ http :8000 -v +$ http get :8000/anything ``` -As you might have expected, it doesn't work anymore: - -```http -GET / HTTP/1.1 -Accept: */* -Accept-Encoding: gzip, deflate -Connection: keep-alive -Host: localhost:8000 -User-Agent: HTTPie/0.9.9 -``` +It will result in: -as it gives this redirect as a reply: - -```http -HTTP/1.1 302 Moved Temporarily -Connection: keep-alive -Content-Length: 167 -Content-Type: text/html -Date: Mon, 14 Aug 2017 17:24:59 GMT -Location: https:///authorize?scope=openid&client_id=&response_mode=query&state=y2J74-KJFzogFXEtWgwDzl-Y&nonce=J-Ylp3E4dIQIhgutGFo3JOOU&redirect_uri=&response_type=code -Server: kong/0.10.3 -Set-Cookie: authorization=; Path=/; HttpOnly ``` -```html - - 302 Found - -

302 Found

- - +HTTP 301 Moved Temporarily ``` Now, at this point you could try to open the page using a browser and see if you can go through the authorization code flow, and after that -get an reply from httpbin.org. Please check that your redirect uri is -correctly registered as the identity provider should redirect the -browser back to Kong url where this plugin is enabled (it can be the same -API or it can be different API). +get a reply from `httpbin.org`. Please check that your redirect URI parameter is +correctly set, since the identity provider should redirect the +user back to this URI once authentication is successful. (The URI can be the same +Service or a different one). -You could also try another ways, like for example password grant -(and please try other authentication methods as well): +You could also try another way; for example, password grant: ```bash $ http :8000 Authorization:"Basic :"