Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 provision_key issue running on Docker #1012

Closed
ambrons opened this issue Feb 23, 2016 · 2 comments
Closed

OAuth2 provision_key issue running on Docker #1012

ambrons opened this issue Feb 23, 2016 · 2 comments
Labels
plugins/oauth2

Comments

@ambrons
Copy link

ambrons commented Feb 23, 2016

I've followed the documentation here: https://getkong.org/plugins/oauth2-authentication/ as well as looked at the reference implementation with NodeJS here: https://github.com/Mashape/kong-oauth2-hello-world

I'm getting "Invalid Kong provision_key" error when making calls to /oauth2/authorize.

To point out I'm using v0.5.4 because of an issue that seems to be related to configuration of docker with version v0.6.1 being looked at here:
Kong/docker-kong#19
Kong/docker-kong#23
Kong/docker-kong#21

Below are the steps taken to create the api, application, consumer, and ultimately the failing authorization.

API Creation

http POST http://fc.dev:8001/apis 'name=principal-profile-microservice' 'request_host=profile.fc.dev' 'upstream_url=http://192.168.99.1:3000/'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 23 Feb 2016 22:47:06 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked

{
    "created_at": 1456267626000,
    "id": "f97b3bfa-58fa-4ec5-ce5b-dcc84e89bb14",
    "name": "principal-profile-microservice",
    "request_host": "profile.fc.dev",
    "upstream_url": "http://192.168.99.1:3000/"
}

Create Consumer

http POST http://fc.dev:8001/consumers custom_id=zco-custom-id

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 23 Feb 2016 22:48:31 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked

{
    "created_at": 1456267711000,
    "custom_id": "zco-custom-id",
    "id": "f68d4742-92c9-4811-c87b-9d07bf567a2e"
}

Create API Consumer Application

http POST http://fc.dev:8001/consumers/f68d4742-92c9-4811-c87b-9d07bf567a2e/oauth2 'name=Better Fan' 'redirect_uri=http://fc.dev:3001/authorize/callback'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 23 Feb 2016 22:53:18 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked

{
    "client_id": "d1b0cb8290554a4dca397c5b73053d60",
    "client_secret": "d73e3dd620ac4698c63684206451f821",
    "consumer_id": "f68d4742-92c9-4811-c87b-9d07bf567a2e",
    "created_at": 1456267998000,
    "id": "df298ef9-0080-4ded-cdb9-9019488ec447",
    "name": "Better Fan",
    "redirect_uri": "http://fc.dev:3001/authorize/callback"
}

Create API OAuth Plugin Configuration

http POST http://kong:8001/apis/f97b3bfa-58fa-4ec5-ce5b-dcc84e89bb14/plugins 'name=oauth2' 'config.scopes=email' 'config.mandatory_scope=true'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 23 Feb 2016 22:55:41 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked

{
    "api_id": "f97b3bfa-58fa-4ec5-ce5b-dcc84e89bb14",
    "config": {
        "enable_authorization_code": true,
        "enable_client_credentials": false,
        "enable_implicit_grant": false,
        "enable_password_grant": false,
        "hide_credentials": false,
        "mandatory_scope": true,
        "provision_key": "e1945d5b942342d0c230a899612b4461",
        "scopes": [
            "email"
        ],
        "token_expiration": 7200
    },
    "created_at": 1456268141000,
    "enabled": true,
    "id": "53152523-6011-402b-c0e4-781db2d39e18",
    "name": "oauth2"
}

Add SSL Plugin for API

http --form POST http://fc.dev:8001/apis/f97b3bfa-58fa-4ec5-ce5b-dcc84e89bb14/plugins 'name=ssl' 'config.cert=@./server.crt' 'config.key=@./server.key' 'config.only_https=true'

POST to /oauth2/authorize

http -v --verify no https://profile.fc.dev:8443/oauth2/authorize \
   'client_id=d1b0cb8290554a4dca397c5b73053d60' \
   'response_type=code' \
   'scope=email' \
   'authenticated_userid=56ba5676abbbd6160a9c3bc6' \
   'provision_key=e1945d5b942342d0c230a899612b4461'

[Verbose] Request Sent

POST /oauth2/authorize HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 197
Content-Type: application/json
Host: profile.fc.dev:8443
User-Agent: HTTPie/0.9.2

{
    "authenticated_userid": "56ba5676abbbd6160a9c3bc6",
    "client_id": "d1b0cb8290554a4dca397c5b73053d60",
    "provision_key": "e1945d5b942342d0c230a899612b4461",
    "response_type": "code",
    "scope": "email"
}

Response

HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Wed, 24 Feb 2016 19:12:34 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked
cache-control: no-store
pragma: no-cache

{
    "error": "invalid_provision_key",
    "error_description": "Invalid Kong provision_key"
}
@ambrons ambrons changed the title OAuth2 provision_key "Invalid Kong provision_key" in v0.5.4 OAuth2 provision_key issue with v0.5.4 running on Docker Feb 24, 2016
@ambrons ambrons changed the title OAuth2 provision_key issue with v0.5.4 running on Docker OAuth2 provision_key issue running on Docker Feb 24, 2016
@ambrons
Copy link
Author

ambrons commented Feb 24, 2016

I know I'm hitting the right API and therefore should be the right configuration because of the SSL. Making the same call without using the SSL port results as below:

http -v --verify no http://profile.fc.dev:8000/oauth2/authorize \
   'client_id=d1b0cb8290554a4dca397c5b73053d60' \
   'response_type=code' \
   'scope=email' \
   'authenticated_userid=56ba5676abbbd6160a9c3bc6' \
   'provision_key=e1945d5b942342d0c230a899612b4461'

[Verbose] Request Sent

POST /oauth2/authorize HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 197
Content-Type: application/json
Host: profile.fc.dev:8000
User-Agent: HTTPie/0.9.2

{
    "authenticated_userid": "56ba5676abbbd6160a9c3bc6",
    "client_id": "d1b0cb8290554a4dca397c5b73053d60",
    "provision_key": "e1945d5b942342d0c230a899612b4461",
    "response_type": "code",
    "scope": "email"
}

Response

HTTP/1.1 426 
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Wed, 24 Feb 2016 19:55:04 GMT
Server: kong/0.5.4
Transfer-Encoding: chunked
Via: kong/0.5.4
connection: Upgrade
upgrade: TLS/1.0, HTTP/1.1

{
    "message": "Please use HTTPS protocol"
}

@ambrons
Copy link
Author

ambrons commented Feb 25, 2016

So the issue was a sublty I missed in how the /oauth2/authorize POST must be made. It requires a FORM post, not a application/json post. When switching to the following command for httpie it worked.

http -v --verify no --form POST http://profile.fc.dev:8000/oauth2/authorize \
   'client_id=d1b0cb8290554a4dca397c5b73053d60' \
   'response_type=code' \
   'scope=email' \
   'authenticated_userid=56ba5676abbbd6160a9c3bc6' \
   'provision_key=e1945d5b942342d0c230a899612b4461'

@ambrons ambrons closed this as completed Feb 25, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
plugins/oauth2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bungle @thibaultcha @ambrons