kong-plugin-jwt-keycloak icon indicating copy to clipboard operation
kong-plugin-jwt-keycloak copied to clipboard

Published 20 hours ago verified publisher icon gbbirkisson

Keycloak HTTPS cert is not validated

Open mateuszdyminski opened this issue 4 years ago • 5 comments

In get_request method in keycloak_keys.lua file luasec library is used to provide communication over https. According to documentation on https://github.com/brunoos/luasec/wiki page to verify certificate we need to pass extra argument verify = "peer" otherwise even if certificate is invalid or self-signed there is no problem/exception/anything.

I have tested that with self-signed cert, and passing verify = "peer" seems to solve the problem, I would like to add also possibility to pass path to cafile to make it possible to use self-signed cert to provide inter-communication.

What do you think about the solution?

mateuszdyminski avatar May 27 '20 08:05 mateuszdyminski

Yeah that should definitely be turned on. I do not have any time these days to work on this project. I am open for pull requests if you have time to implement this small change to fix this issue, and do testing to be sure it works and does not break things.

As for adding self signed certificates to trusted certificates, you should be able to do that inside the docker image without touching the plugin, right?

gbbirkisson avatar May 27 '20 20:05 gbbirkisson

Ok, so in next couple of days I'll prepare the PR.

As for adding self signed certificates to trusted certificates, you should be able to do that inside the docker image without touching the plugin, right?

Yeah, I need to double check it, but there should be 2 ways to add certificate as trusted - by changing plugin (and adding this cafile) and by installing cert directly in docker image/underlying os.

One more thing - I noticed that you marked version of Kong 2.0.x as incompatible with your plugin. Could you elaborate more what is not working?

mateuszdyminski avatar May 29 '20 07:05 mateuszdyminski

I noticed that you marked version of Kong 2.0.x as incompatible with your plugin. Could you elaborate more what is not working?

I just noticed that the tests were failing, I have not looked at why they are yet.

gbbirkisson avatar Jun 03 '20 15:06 gbbirkisson

I noticed that you marked version of Kong 2.0.x as incompatible with your plugin. Could you elaborate more what is not working?

Caused by a race condition with Kong. Tests are passing now.

gbbirkisson avatar Jun 03 '20 15:06 gbbirkisson

Do you have such a patch, @mateuszdyminski which I could use? I'm not yet experienced enough to create such on my own, but I would be willing and able to help out preparing a PR, if you don't have the time to do so.

jschirrmacher avatar Sep 30 '20 15:09 jschirrmacher

I am about to archive this repository. Please move your issues/PRs the successor of this repo: https://github.com/telekom-digioss/kong-plugin-jwt-keycloak

gbbirkisson avatar Aug 14 '23 14:08 gbbirkisson