kongfig icon indicating copy to clipboard operation
kongfig copied to clipboard

Published 20 hours ago verified publisher icon mybuilder

Key-auth authentication failing

Open anamarialazar opened this issue 9 years ago • 4 comments

Hi all,

I cannot make a request using the key authentication. My journey is below:

Config:

apis:
  - name: api_products
      attributes:
        request_path: /products
        upstream_url: http://products.app.internal
      plugins:
        - name: file-log
          attributes:
            config:
              path: "/usr/local/kong/logs/kong.log"
        - name: trace
        - name: key-auth
          attributes:
              config:
                hide_credentials: true
                key_names:
                  - apikey
consumers:
    - username: admin
      credentials:
        - name: key-auth
          attributes:
            key: ThisTokenIsNotSoSecretChangeIt

The config looks it was imported correctly:

Request: curl localhost:8001/consumers Response:

{
    "data":[
        {
            "username":"admin",
            "created_at":1466764389000,
            "id":"9a746cee-81af-426f-a54c-04d6ea522f23"
        }
    ],
    "total":1
}

Request: curl localhost:8001/consumers/admin/key-auth Response:

{
    "data":[
        {
            "created_at":1466764389000,
            "consumer_id":"9a746cee-81af-426f-a54c-04d6ea522f23",
            "key":"ThisTokenIsNotSoSecretChangeIt",
            "id":"42bc0e6d-d5eb-40dc-990a-be8828ddcb25"
        }
    ],
    "total":1
}

However when I try to actually use the key:

Request: curl -H "apikey: ThisTokenIsNotSoSecretChangeIt" localhost:8000/products

Response:

{
    "message":"No API Key found in headers, body or querystring"
}

If I use an invalid key I get: Request: curl -H "apikey: AnotherRandomKey" localhost:8000/products

Response:

{
    "message":"Invalid authentication credentials"
}

However if I delete the API and plugin and re-add them via curl requests then everything works without any problems. I think it's something related to cache but no idea how to debug this. Any advice?

anamarialazar avatar Jun 24 '16 10:06 anamarialazar

It did work for me, but I did had to fix some of the indentation issues of the config you provided. I suspect that may have occurred while pasting into github but worth mentioning.

The final config I used was as follows:

  apis:
    - name: api_products
      attributes:
        request_path: /products
        upstream_url: http://mockbin.com/
      plugins:
        - name: key-auth
          attributes:
              config:
                hide_credentials: true
                key_names:
                  - apikey
  consumers:
    - username: admin
      credentials:
        - name: key-auth
          attributes:
            key: ThisTokenIsNotSoSecretChangeIt

"No API Key found in headers, body or querystring" response suggest that key-auth plugin has not been properly setup for api_products

You could try dumping the config and looking what you actually have on the server: by running kongfig dump --format yaml --host localhost:8001

alternatively curl it directly

curl http://localhost:8001/apis/api_products/plugins should give you something as follows

{
  "data":[
    {
      "api_id":"77ba716a-d8c0-4479-c438-a8a9f43bbaa0",
      "id":"febcbc72-b14c-4a8f-ca93-2d01df6a89c0",
      "created_at":1466769447000,
      "enabled":true,
      "name":"key-auth",
      "config":{
        "hide_credentials":true,
        "key_names":[
          "apikey"
        ]
      }
    }
  ]
}

If you see something odd going on with the api definition on the server you can always apply a config where ensure set to removed, and then changing it back to present will get you back to a fresh start.

  apis:
    - name: api_products
      ensure: removed

Hope this helps, let me know if it didn't

CyExy avatar Jun 24 '16 12:06 CyExy

Thanks for the quick response

curl http://localhost:8001/apis/api_products/plugins returns the correct config:

{
    "data":[
        {
            "api_id":"46ad4384-db13-4bb0-923d-e6da931cec3d",
            "id":"9230fc7d-62de-426c-aff0-ea3fd406d4de",
            "created_at":1466764389000,
            "enabled":true,
            "name":"key-auth",
            "config":{
                "hide_credentials":true,
                "key_names":[
                    "apikey"
                ]
            }
        }
    ],
    "total":1
}

When I dump the config:

host: 'localhost:8001'
apis:
  - name: api_products
    plugins:
      - name: key-auth
        attributes:
          config:
            hide_credentials: true
            key_names:
              - apikey
    attributes:
      request_path: /products
      strip_request_path: true
      preserve_host: true
      upstream_url: 'http://products.app.internal'
consumers:
  - username: admin
    acls: []
    credentials:
      - name: key-auth
        attributes:
          key: ThisTokenIsNotSoSecretChangeIt

Everything points out that it should work. I have applied the config with ensure:removed / present. I can seethat the API was deleted and created again but I still get the same response.

anamarialazar avatar Jun 24 '16 13:06 anamarialazar

This is a bit of a long shot but got it failing with the same error when I added another api definition with matching request_host

Do you have any other api definition in the dump? If yes does any of them have request_host matching the one sent in the curl request e.g. request_host: products.app.internal?

you could try this

curl -i -X GET --url http://localhost:8000/products \
--header "host: definitelydoesnotexist.com" \
--header "apikey: ThisTokenIsNotSoSecretChangeIt"

CyExy avatar Jun 24 '16 14:06 CyExy

There are no other APIs definition in the config.

The request you specified returns:

HTTP/1.1 401 Unauthorized
Date: Fri, 24 Jun 2016 15:31:19 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Key realm="kong"
Server: kong/0.8.3

{"message":"No API Key found in headers, body or querystring"}

anamarialazar avatar Jun 24 '16 15:06 anamarialazar