Access web app via Kong gateway with Keycloak – part 2

Create Keycloak client

  • Add client (e.g., oidc-hello)
  • Make it 'confidential' and get secret key
  • Add user (e.g., test)

Kong plugins

We will try open source plugin:
https://github.com/nokia/kong-oidc

luarocks

https://github.com/luarocks/luarocks/wiki/Installation-instructions-for-Unix

Now install the plugin:

luarocks install kong-oidc

Check /usr/local/share/lua folder, if there are multiple versions installed, check where oidc plugin is installed.
Copy the installed oidc folder to Kong's Lua folder.

sudo cp -R /usr/local/share/lua/5.3/kong/plugins/oidc /usr/local/share/lua/5.1/kong/plugins/

Add env variable:

# kong config file, add oidc to plugins
vim /etc/kong/kong.conf
# plugins = bundled,oidc

# add to environmental variables
export KONG_PLUGINS=oidc

Enable plugin.

Parameters:

parameter value
name Plugin name : 'oidc'
config.client_id Client id of Keycloak client
config.client_secret Client secret configured in Keycloak
config.discovery Keycloak realm discovery url.
curl -i -X POST \
--url http://localhost:8001/services/hello-service/plugins/ \
--data 'name=oidc&config.client_id=oidc-hello&config.client_secret=xxxx-xxx-xxx-xxx&config.discovery=https%3A%2F%2Fkeycloak.minamirnd.work%2Fauth%2Frealms%2Foidc-minamirnd%2F.well-known%2Fopenid-configuration'

HTTP/1.1 201 Created
Date: Sun, 26 Sep 2021 07:26:34 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Content-Length: 767
X-Kong-Admin-Latency: 247
Server: kong/2.5.1

{"route":null,"id":"a6d042e5-3153-448d-8dd4-e6a391e573dc","protocols":["grpc","grpcs","http","https"],"name":"oidc","config":{"filters":null,"recovery_page_path":null,"session_secret":null,"client_secret":"18f521c1-5ce8-44ea-a982-f1acf98abf9e","discovery":"https://keycloak.minamirnd.work/.well-known/openid-configuration","realm":"kong","redirect_uri_path":null,"response_type":"code","token_endpoint_auth_method":"client_secret_post","logout_path":"/logout","client_id":"oidc-hello","ssl_verify":"no","scope":"openid","redirect_after_logout_uri":"/","introspection_endpoint_auth_method":null,"bearer_only":"no","introspection_endpoint":null},"enabled":true,"created_at":1632641194,"consumer":null,"tags":null,"service":{"id":"dcdade9b-1eff-47b9-82a9-3c9d2af531de"}}

Access web app

Let us try access https://your.domain.com:8443


Error

We got an error accessing the web app.

Error log (/usr/local/kong/logs/error.log)

2021/09/26 16:23:39 [notice] 93377#0: *1 [lua] warmup.lua:129: single_dao(): finished preloading 'services' into the core_cache (in 154ms), context: init_worker_by_lua*
2021/09/26 16:30:31 [error] 93377#0: *1085 [kong] init.lua:282 [oidc] /usr/local/share/lua/5.1/kong/plugins/oidc/handler.lua:47: module 'resty.openidc' not found:No LuaRocks module found for resty.openidc
        no field package.preload['resty.openidc']
        no file './resty/openidc.lua'
        no file './resty/openidc/init.lua'
        no file '/usr/local/openresty/site/lualib/resty/openidc.ljbc'
        no file '/usr/local/openresty/site/lualib/resty/openidc/init.ljbc'
        no file '/usr/local/openresty/lualib/resty/openidc.ljbc'
        no file '/usr/local/openresty/lualib/resty/openidc/init.ljbc'
        no file '/usr/local/openresty/site/lualib/resty/openidc.lua'
        no file '/usr/local/openresty/site/lualib/resty/openidc/init.lua'
        no file '/usr/local/openresty/lualib/resty/openidc.lua'
        no file '/usr/local/openresty/lualib/resty/openidc/init.lua'
        no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/openidc.lua'
        no file '/usr/local/share/lua/5.1/resty/openidc.lua'
        no file '/usr/local/share/lua/5.1/resty/openidc/init.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openidc.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openidc/init.lua'
        no file '/home/kong/.luarocks/share/lua/5.1/resty/openidc.lua'
        no file '/home/kong/.luarocks/share/lua/5.1/resty/openidc/init.lua'
        no file '/usr/local/openresty/site/lualib/resty/openidc.so'
        no file '/usr/local/openresty/lualib/resty/openidc.so'
        no file './resty/openidc.so'
        no file '/usr/local/lib/lua/5.1/resty/openidc.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openidc.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
        no file '/home/kong/.luarocks/lib/lua/5.1/resty/openidc.so'
        no file '/usr/local/openresty/site/lualib/resty.so'
        no file '/usr/local/openresty/lualib/resty.so'
        no file './resty.so'
        no file '/usr/local/lib/lua/5.1/resty.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
        no file '/home/kong/.luarocks/lib/lua/5.1/resty.so', client: 118.237.115.142, server: kong, request: "GET / HTTP/2.0", host: "hello.minamirnd.work:8443"

oidc plugin page mentions the requirement:

https://github.com/nokia/kong-oidc#dependencies

Leave a Reply

Your email address will not be published.