Search code examples
nginxoauth-2.0api-gatewaykongkong-plugin

Kong API gateway Oauth2 grant_type=password invalid_client error no matter what I change

I have been setting up Kong locally and testing different kinds of setups. Currently I have kong running inside docker-compose with access to the gateway making requests. Passing in these env variables

environment:
  - KONG_ADMIN_ACCESS_LOG=/dev/stdout
  - KONG_ADMIN_ERROR_LOG=/dev/stderr
  - KONG_PROXY_ACCESS_LOG=/dev/stdout
  - KONG_PROXY_ERROR_LOG=/dev/stderr
  - KONG_DATABASE=postgres
  - KONG_ADMIN_LISTEN=0.0.0.0:8001
  - KONG_PG_DATABASE=kong
  - KONG_PG_HOST=postgres.me.io
  - KONG_PG_USER=username
  - KONG_PG_PASSWORD=password
  - KONG_TRUSTED_IPS=0.0.0.0/0
  - VIRTUAL_HOST=kong.me.io
  - VIRTUAL_PORT=8080

I am trying to setup the oauth2 plugin with the the grant_type=password. I am constantly getting invalid_client error with nothing in the logs to really tell me whats going on. I have tried following https://github.com/Kong/kong/issues/2446 without any luck even removing the client_id doesnt work. There doesn't seem to be any other information out there that indicates whats going on. I have added trusted_ips to the envs so that I dont run it over ssl, which if you dont gives an error of Must use https. What am I doing wrong to make this work? This seemed to be the easiest implementation but it doesn't like anything.

Add a service for backend apis routes

http POST http://kong.me.io:8001/services name=me.io.apis host=api.me.io port:=5000

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 300
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:33:54 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 232

{
    "client_certificate": null,
    "connect_timeout": 60000,
    "created_at": 1574462034,
    "host": "api.me.io",
    "id": "6f12367c-d92b-4334-a654-8f2d706b70e6",
    "name": "me.io.apis",
    "path": null,
    "port": 5000,
    "protocol": "http",
    "read_timeout": 60000,
    "retries": 5,
    "tags": null,
    "updated_at": 1574462034,
    "write_timeout": 60000
}

Create a route for backend apis paths

http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/routes hosts:='["api.me.io"]' paths:='["/apis"]'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 417
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:34:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 22

{
    "created_at": 1574462069,
    "destinations": null,
    "headers": null,
    "hosts": [
        "api.me.io"
    ],
    "https_redirect_status_code": 426,
    "id": "92ff918e-2a05-4768-866e-3a3061d563e4",
    "methods": null,
    "name": null,
    "paths": [
        "/apis"
    ],
    "preserve_host": false,
    "protocols": [
        "http",
        "https"
    ],
    "regex_priority": 0,
    "service": {
        "id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
    },
    "snis": null,
    "sources": null,
    "strip_path": true,
    "tags": null,
    "updated_at": 1574462069
}

Create Oauth plugin on backend routes

http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/plugins name=oauth2 config:='{"enable_password_grant": true, "accept_http_if_already_terminated": true}'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 682
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:35:19 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 139

{
    "config": {
        "accept_http_if_already_terminated": true,
        "anonymous": null,
        "auth_header_name": "authorization",
        "enable_authorization_code": false,
        "enable_client_credentials": false,
        "enable_implicit_grant": false,
        "enable_password_grant": true,
        "global_credentials": false,
        "hide_credentials": false,
        "mandatory_scope": false,
        "provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
        "refresh_token_ttl": 1209600,
        "scopes": null,
        "token_expiration": 7200
    },
    "consumer": null,
    "created_at": 1574462119,
    "enabled": true,
    "id": "c3d21c32-9062-49bd-a2b0-66b4fa6ac320",
    "name": "oauth2",
    "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
    ],
    "route": null,
    "run_on": "first",
    "service": {
        "id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
    },
    "tags": null
}

Create a consumer to test with

http POST http://kong.me.io:8001/consumers username=me@me.com custom_id=5b6215eed6814902e4d53d24

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 162
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:37:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 20

{
    "created_at": 1574462249,
    "custom_id": "5b6215eed6814902e4d53d24",
    "id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80",
    "tags": null,
    "username": "me@me.com"
}

Add a client id to the test consumer

http POST http://kong.me.io:8001/consumers/f1b5fb00-df6e-4089-b4b8-639ceb4e6a80/oauth2 name='me@me.com'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 295
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:41:21 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 29

{
    "client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
    "client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
    "consumer": {
        "id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80"
    },
    "created_at": 1574462481,
    "id": "d533d1ad-3d2b-47ef-af87-33f7b14dbb88",
    "name": "me@me.com",
    "redirect_uris": null,
    "tags": null
}

Test that you can get keys back from kong

http POST http://api.me.io:8080/apis/oauth2/token "x-forwarded-proto: https" authenticated_userid="5b6215eed6814902e4d53d24" client_id="03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" client_secret="nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" grant_type=password provision_key="uijq0y4dBFZITqirZ9QJr18DeHjaMpXS" username="me@me.com" password="password" -vv

POST /apis/oauth2/token HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 301
Content-Type: application/json
Host: api.me.io:8080
User-Agent: HTTPie/1.0.2
x-forwarded-proto: https

{
    "authenticated_userid": "5b6215eed6814902e4d53d24",
    "client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
    "client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
    "grant_type": "password",
    "password": "password",
    "provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
    "username": "me@me.com"
}

HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Length: 78
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:45:14 GMT
Server: kong/1.4.0
X-Kong-Response-Latency: 25
cache-control: no-store
pragma: no-cache

{
    "error": "invalid_client",
    "error_description": "Invalid client authentication"
}
Solution

  • You may need to do it over https(using port 8443 instead). You need to do something like this:

    curl -X POST \
  --url "https://api.me.io:8443/apis/oauth2/token " \
  --header "Host: api.me.io" \
  --data "grant_type=password" \
  --data "client_id=03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" \
  --data "client_secret=nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" \
  --data "provision_key=uijq0y4dBFZITqirZ9QJr18DeHjaMpXS"\
  --data "redirect_uri=http://localhost/cb/" \
  --data "authenticated_userid=me@me.com"  \
  --insecure

    you should as well specify a redirect uri(which wont be called anyway).Im not sure why this is so but adding that gave me less headache. You can follow this link for more details on how to go about this