kong
kong copied to clipboard
Kong
JWT plugin does not find credential by key when key is URL
Summary
Hello, we use kong along with keycloak and we protect every api publication with JWT plugin on the route. keycloak generate JWT with iss claim with value of keycloak realm url. When I setup jwt plugin to use iss claim as a key for the secret the plugin can't find the secret by this key. When I use another custom claim in JWT to identify secret everything works correctly. But when I use admin API to find secret/jwt with key the result is correct in both cases.
Steps To Reproduce
- Setup JWT with the 'iss' claim as secret key
apiVersion: v1
kind: Secret
metadata:
name: jwt-nghis-dev
namespace: ng-apps
type: Opaque
data:
kongCredType: and0
key: aHR0cHM6Ly9hdXRoLmRldi5wcm9zb2Z0a2Uuc2svYXV0aC9yZWFsbXMvaGlz
algorithm: UlMyNTY=
rsa_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFqc3AzVGR5ODFKU0VSN2NZdW9ZcgoxVmhqSlB4WXR0Nk1ad1hQSUJsRlhpZ21nYlZnTzNiQmhyR2x1Q2lnVlUrVkJ1YkZnM29VektVS0pWV2ZCRzZJCmgwcXUvcTFqSXRZdGI1bDJINXhHcTIwU3RDK1NCSU4rUFY2eW4zMFhPeWVIN1dmSCtUOGQxcVlKS243aVlhQWkKaWlKbUFKOHR5bHk2eHlqT01ZbnJJRXM1VEU4STlkaitrUlJTQzJTVGpFN2xoR0hOTUVheVZKeFJkejliN00yQgpKWmtmZ09NMEhKUnlzaXNiZXVwYnRidGdvMWQycUV6eVkxTTg3VTk2ejJsRWtwQllvREpuMFFqdGE3MWl3bzdkCmoyamFEVDlPZDhtdzdzWXNxeUxQK2NTTE9QQjRoNC9ncjBjeWl6M05hNGJHbVJrYU9Qd0tlM2hMOGdQMFJjWFYKd1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: nghis-dev-consumer
namespace: ng-apps
username: nghis-dev
credentials:
- jwt-nghis-dev
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: nghis-jwt-administration-service
namespace: ng-apps
config:
key_claim_name: iss
claims_to_verify:
- exp
plugin: jwt
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: administration-service-test-ingress
namespace: ng-apps
route:
strip_path: true
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: administration-test-service
namespace: ng-apps
labels:
app: administration-test-service
layer: frontend
annotations:
plugins.konghq.com: nghis-jwt-administration-service
configuration.konghq.com: administration-service-test-ingress
spec:
rules:
- host: "api.dev.prosoftke.sk"
http:
paths:
- path: /admin_test
backend:
serviceName: administration-service
servicePort: 8080
- admin API works as expceted:
curl http://kong-admin:8001/jwts/https%3A%2F%2Fauth.dev.prosoftke.sk%2Fauth%2Frealms%2Fhis
{"rsa_public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjsp3Tdy81JSER7cYuoYr\n1VhjJPxYtt6MZwXPIBlFXigmgbVgO3bBhrGluCigVU+VBubFg3oUzKUKJVWfBG6I\nh0qu\/q1jItYtb5l2H5xGq20StC+SBIN+PV6yn30XOyeH7WfH+T8d1qYJKn7iYaAi\niiJmAJ8tyly6xyjOMYnrIEs5TE8I9dj+kRRSC2STjE7lhGHNMEayVJxRdz9b7M2B\nJZkfgOM0HJRysisbeupbtbtgo1d2qEzyY1M87U96z2lEkpBYoDJn0Qjta71iwo7d\nj2jaDT9Od8mw7sYsqyLP+cSLOPB4h4\/gr0cyiz3Na4bGmRkaOPwKe3hL8gP0RcXV\nwQIDAQAB\n-----END PUBLIC KEY-----","created_at":1582725445,"consumer":{"id":"2af3d7cc-5590-5c3b-a904-dcb32e16fae9"},"id":"7207410d-15b5-513a-8400-c6ec638a0da8","algorithm":"RS256","tags":null,"key":"https:\/\/auth.dev.prosoftke.sk\/auth\/realms\/his","secret":"SgSNLGREhLChx9rR4rxda03TKFTw70Oe"}
- The call on route end with the error:
{
"message": "No credentials found for given 'iss'"
}
- When I change
key_claim_name: tenantNamein the plugin definition and 'key: REVW' in the secret everything works fine.
Additional Details & Logs
- Kong version 2.0.0; db-less
- Kubernetes 1.15.6; kong:2.0.0-alpine; kong-ingress-controller:0.7.1
- token used in tests
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRWW9fLXlPRk1hQTFmX1RINXNSb3U0d0JsdDR4dWVSc01iRThZbG1IYUJjIn0.eyJqdGkiOiJkZWM4NDU2Zi1jZmJjLTQwYjYtYTM3Yi03NTUyYjEwODQ1YmEiLCJleHAiOjE1ODI3MjM0NzQsIm5iZiI6MCwiaWF0IjoxNTgyNzIzMTc0LCJpc3MiOiJodHRwczovL2F1dGguZGV2LnByb3NvZnRrZS5zay9hdXRoL3JlYWxtcy9oaXMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYmFjMWExM2EtMWE5YS00NmZiLTg5YjYtODdiNzRmMmFkYjUyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibmdoaXMiLCJub25jZSI6IjJmMjgyMTMxLWIxOGItNGFiZi05MzQ2LTFlZGM1YTRlNDkwNSIsImF1dGhfdGltZSI6MTU4MjcyMzE2Niwic2Vzc2lvbl9zdGF0ZSI6ImQ2MDczN2VjLTVkY2EtNGY2NS1iMWJmLTQ1OGFmOTk5OGUzMyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4ODg4IiwiaHR0cDovL2xvY2FsaG9zdDo4ODg4IiwiaHR0cDovL2xvY2FsaG9zdDo4ODg3IiwiaHR0cDovL2xvY2FsaG9zdDo4ODg5IiwiaHR0cHM6Ly9uZ2hpcy5kZXYucHJvc29mdGtlLnNrIiwiaHR0cDovLzEyNy4wLjAuMTo4ODg5IiwiaHR0cHM6Ly9hZG1pbi5kZXYucHJvc29mdGtlLnNrIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwidGVuYW50TmFtZSI6IkRFViIsInVzZXIiOnsibGFzdE5hbWUiOiJMZWthciIsImZpcnN0TmFtZSI6IkphbiIsInByZWZpeCI6IlBoZCIsImhlYWx0aGNhcmVQcm9mZXNzaW9uYWwiOjEsInBlcnNvbmFsTnVtYmVyIjoiMTExMSIsInBvc3RmaXgiOiJJbmciLCJsb2dpbiI6Imxla2FyIiwiZW1wbG95ZWVOdW1iZXIiOjF9LCJ0ZW5hbnQiOjk5OTl9.ew34kC-_hix_J054qiu2s4VLTfqyLxxNUuSLwuS7YLwn2jYXOSkTP9GSrWjs85zObGFxEacGarcWDDmjmxJDoQlxvOlpyNAZ8LuXVplsVBz5TQRMjQrTw5CSyA5uhVA8s7lBNdYzMKMh3LNEdp93wMALzsbsMFqHMX9SI2rFTISvAAknUgQmxAAUjNdOFap-lWdOnXESh4vXXRyXApc5Av9_JbH0v2ZG8ay2nHF3VEweWrFpkDOPeTy2Opza2Z08GAkJDWDfgq_TixylUK4vSBvyKZ4-uYbwORal4XLknZbD3mpNMl0W7v8eccGmwzaA4M6rKgfxuUMuYGittra4VQ
{ "message": "No credentials found for given 'iss'" } same response, after i plugin that jwt plugin
I can confirm as well. K8S 1.17, kong-ingress-controller helm chart 1.14.5.
NM I got it working..... I had upgraded to my helm chart from 1.5 5o 1.14 and which kong versions those contain... After putting a large dent in my desk and reading docs and looking at examples, I finally figured out I had to update my KongConsumer def to have an annotation.... So in the example above...
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: nghis-dev-consumer
namespace: ng-apps
username: nghis-dev
credentials:
- jwt-nghis-dev
should probably be
---
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: nghis-dev-consumer
namespace: ng-apps
annotations:
kubernetes.io/ingress.class: kong
username: nghis-dev
credentials:
- jwt-nghis-dev
Works fantastic now...
I am hoping anyone would help me put here. I am pretty much using this example. https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/configure-acl-plugin/
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: app-jwt
plugin: jwt
" | kubectl apply -f -
echo '
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-get
annotations:
konghq.com/plugins: app-jwt
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /get
backend:
serviceName: httpbin
servicePort: 80
' | kubectl apply -f -
$ echo '
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-post
annotations:
konghq.com/plugins: app-jwt
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: kong
spec:
rules:
- http:
paths:
- path: /post
backend:
serviceName: httpbin
servicePort: 80
' | kubectl apply -f -
$ curl -i $PROXY_IP/get
HTTP/1.1 401 Unauthorized
echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: admin
annotations:
kubernetes.io/ingress.class: kong
username: admin
" | kubectl apply -f -
echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: plain-user
annotations:
kubernetes.io/ingress.class: kong
username: plain-user
" | kubectl apply -f -
# create secret for jwt public key
$ kubectl create secret \
generic app-admin-jwt \
--from-literal=kongCredType=jwt \
--from-literal=key="admin-issuer" \
--from-literal=algorithm=RS256 \
--from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----
MIIBIjA....
-----END PUBLIC KEY-----"
# create a second secret with a different key
$ kubectl create secret \
generic app-user-jwt \
--from-literal=kongCredType=jwt \
--from-literal=key="user-issuer" \
--from-literal=algorithm=RS256 \
--from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----
qwerlkjqer....
-----END PUBLIC KEY-----"
Now for the above step, i use following to generate jwt
ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub
import jwt
private_key = open('jwtRS256.key').read()
token = jwt.encode({'username': 'admin', 'iss': 'admin-issuer'}, private_key, algorithm='RS256').decode('utf-8')
print token
$ echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: admin
annotations:
kubernetes.io/ingress.class: kong
username: admin
credentials:
- app-admin-jwt
" | kubectl apply -f -
$ echo "
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: plain-user
annotations:
kubernetes.io/ingress.class: kong
username: plain-user
credentials:
- app-user-jwt
" | kubectl apply -f -
curl -i -H "Authorization: Bearer ${ADMIN_JWT}" $PROXY_IP/get
{"message":"No credentials found for given 'iss'"}%
Any help on where i might be going wrong. it's pretty much using the same example.
Hello everybody. I've set up my Keycloak inside K8S cluster, and Kong DB-less within the cluster too.
Keycloak installed via Keycloak Operator 0.17, but it's not really important, as long as you have a recent version:
PS C:\Users\ferdi> kubectl get csv
NAME DISPLAY VERSION REPLACES PHASE
keycloak-operator.v12.0.3 Keycloak Operator 12.0.3 keycloak-operator.v12.0.1 Succeeded
Kong via official Helm chart:
PS C:\Users\ferdi> helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
kong kong 1 2021-04-22 10:31:34.5898107 +0200 CEST deployed kong-2.0.0 2.3
I've created my Realm, my Client and my User within Keycloak. Just remember to enable "Direct Grants" within Client configuration. Below you can find my YAML:
KongPlugin:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt-test
namespace: default
config:
secret_is_base64: false
run_on_preflight: true
plugin: jwt
Ingress with KongPlugin enabled:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kong-httpbin
namespace: default
annotations:
kubernetes.io/ingress.class: kong
konghq.com/plugins: jwt-test
spec:
rules:
- host: httpbin2.localhost
http:
paths:
- path: /
backend:
serviceName: httpbin2
servicePort: 80
Secret (it replaces KongCredentials):
apiVersion: v1
kind: Secret
metadata:
name: kong-credentials-httpbin
namespace: default
type: Opaque
stringData:
kongCredType: jwt
key: https://keycloak.localhost/auth/realms/myrealm
secret: 9080ed51-b61d-416d-bded-302ca1d62033
algorithm: RS256
rsa_public_key: |-
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfTOZLJ9rP8iL4gWmlIe
xlrC7rnh2qPqvXT5GEHYoKt2wgOyCxOHiClTQB4sLVWld36OmiqzSnGgzPgnN6z6
iS8rE9DXE/LDiwFOU2Roq6CrVAUvpJGqwUwU5xkWxf4l7CFegVjli0x/qDywhPww
tBsR7yD5c9KM9A/OrBK/S5oaCa7a6zTJJRTujGR+o3nRUojpzphdendjx6hrjsot
rgj0ux1Mghc9AjLPxv/Bld4MTYIplmeVfardOsMdkJLluaOguGwjVkzA85bTDw7n
IiibiptsJhJ3qARbu3+oqYapti8h4b8TFN+7GixQeOQKBuKUsh1uMCRFXB/HFzMY
rQIDAQAB
-----END PUBLIC KEY-----
KongConsumer, references the Secret:
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: kong-consumer-httpbin
annotations:
kubernetes.io/ingress.class: kong
username: whateveryouwant
credentials:
- kong-credentials-httpbin
I've just reviewed my previous contribution... and I left out the most important part: with the outlined setup, my authorization flow went fine! @SachinMaharana , as far as I can tell (I'm not building my JWT on my own, I'm relying on Keycloak), I can spot only one difference between our setups: your KongPlugin definition lacks the "config" subsection.
config:
secret_is_base64: false
run_on_preflight: true
Appears solved - please comment if you're experiencing a similar problem.
{ "message": "No credentials found for given 'iss'" } same response, after i plugin that jwt plugin
Hi all, I had and then solved this problem.
Problem: "message": "No credentials found for given 'iss'"
Solution: I was using a Secret, a KongConsumer, KongPlugin and an Ingress. This problem was occurring because I believe the Plugin is not able to find the Consumer, or the Consumer is not able to find the Secret. I was putting everything in the kong namespace with the ingress, but I resolved the issue by ensuring they were all in the same 'default' namespace. Boring solution yes I know.
Here are the .yaml files I was using if that helps anyone:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
konghq.com/strip-path: 'true'
kubernetes.io/ingress.class: kong
konghq.com/plugins: auth0-jwt-plugin
name: nameofingress
namespace: default
spec:
rules:
- http:
- ...
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: auth0-jwt-plugin
namespace: default
config:
secret_is_base64: false
run_on_preflight: true
plugin: jwt
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
name: auth0consumer
namespace: default
annotations:
kubernetes.io/ingress.class: kong
username: auth0user
credentials:
- auth0jwtkey
apiVersion: v1
kind: Secret
metadata:
name: auth0jwtkey
namespace: default
type: Opaque
stringData:
kongCredType: jwt
key: https://companyname.auth0.com/
algorithm: RS256
rsa_public_key: |-
-----BEGIN PUBLIC KEY-----
asdasdasdasdasdasdasdasdasdasd
-----END PUBLIC KEY-----
Dear contributor, We're closing this issue as there hasn't been any update to it for a long time. If the issue is still relevant in the latest version, please feel free to reopen it. We're more than happy to revisit it again. Your contribution is greatly appreciated! Please have a look at our pledge to the community for more information. Sincerely, Kong Gateway Team
