Kong API gateway Oauth2 grant_type=password invalid_client 不管我改什么都报错
Kong API gateway Oauth2 grant_type=password invalid_client error no matter what I change
我一直在本地设置 Kong 并测试不同类型的设置。目前我在 docker-compose 中有 kong 运行ning,可以访问网关发出请求。传入这些环境变量
environment:
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_DATABASE=postgres
- KONG_ADMIN_LISTEN=0.0.0.0:8001
- KONG_PG_DATABASE=kong
- KONG_PG_HOST=postgres.me.io
- KONG_PG_USER=username
- KONG_PG_PASSWORD=password
- KONG_TRUSTED_IPS=0.0.0.0/0
- VIRTUAL_HOST=kong.me.io
- VIRTUAL_PORT=8080
我正在尝试使用 grant_type=password
设置 oauth2 插件。我不断收到 invalid_client
错误,日志中没有任何内容可以真正告诉我发生了什么。我试过跟随 https://github.com/Kong/kong/issues/2446 但没有任何运气,即使删除 client_id
也不起作用。似乎没有任何其他信息表明发生了什么。我已经将 trusted_ips
添加到 envs,这样我就不会 运行 它通过 ssl,如果你不给出 Must use https
的错误。为了使这项工作我做错了什么?这似乎是最简单的实现,但它不喜欢任何东西。
为后端 api 路由添加服务
http POST http://kong.me.io:8001/services name=me.io.apis host=api.me.io port:=5000
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 300
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:33:54 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 232
{
"client_certificate": null,
"connect_timeout": 60000,
"created_at": 1574462034,
"host": "api.me.io",
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6",
"name": "me.io.apis",
"path": null,
"port": 5000,
"protocol": "http",
"read_timeout": 60000,
"retries": 5,
"tags": null,
"updated_at": 1574462034,
"write_timeout": 60000
}
为后端 api 路径创建路由
http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/routes hosts:='["api.me.io"]' paths:='["/apis"]'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 417
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:34:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 22
{
"created_at": 1574462069,
"destinations": null,
"headers": null,
"hosts": [
"api.me.io"
],
"https_redirect_status_code": 426,
"id": "92ff918e-2a05-4768-866e-3a3061d563e4",
"methods": null,
"name": null,
"paths": [
"/apis"
],
"preserve_host": false,
"protocols": [
"http",
"https"
],
"regex_priority": 0,
"service": {
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
},
"snis": null,
"sources": null,
"strip_path": true,
"tags": null,
"updated_at": 1574462069
}
在后端路由上创建 Oauth 插件
http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/plugins name=oauth2 config:='{"enable_password_grant": true, "accept_http_if_already_terminated": true}'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 682
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:35:19 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 139
{
"config": {
"accept_http_if_already_terminated": true,
"anonymous": null,
"auth_header_name": "authorization",
"enable_authorization_code": false,
"enable_client_credentials": false,
"enable_implicit_grant": false,
"enable_password_grant": true,
"global_credentials": false,
"hide_credentials": false,
"mandatory_scope": false,
"provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
"refresh_token_ttl": 1209600,
"scopes": null,
"token_expiration": 7200
},
"consumer": null,
"created_at": 1574462119,
"enabled": true,
"id": "c3d21c32-9062-49bd-a2b0-66b4fa6ac320",
"name": "oauth2",
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"route": null,
"run_on": "first",
"service": {
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
},
"tags": null
}
创建一个消费者来测试
http POST http://kong.me.io:8001/consumers username=me@me.com custom_id=5b6215eed6814902e4d53d24
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 162
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:37:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 20
{
"created_at": 1574462249,
"custom_id": "5b6215eed6814902e4d53d24",
"id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80",
"tags": null,
"username": "me@me.com"
}
向测试消费者添加客户端 ID
http POST http://kong.me.io:8001/consumers/f1b5fb00-df6e-4089-b4b8-639ceb4e6a80/oauth2 name='me@me.com'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 295
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:41:21 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 29
{
"client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
"client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
"consumer": {
"id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80"
},
"created_at": 1574462481,
"id": "d533d1ad-3d2b-47ef-af87-33f7b14dbb88",
"name": "me@me.com",
"redirect_uris": null,
"tags": null
}
测试能否从kong取回钥匙
http POST http://api.me.io:8080/apis/oauth2/token "x-forwarded-proto: https" authenticated_userid="5b6215eed6814902e4d53d24" client_id="03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" client_secret="nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" grant_type=password provision_key="uijq0y4dBFZITqirZ9QJr18DeHjaMpXS" username="me@me.com" password="password" -vv
POST /apis/oauth2/token HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 301
Content-Type: application/json
Host: api.me.io:8080
User-Agent: HTTPie/1.0.2
x-forwarded-proto: https
{
"authenticated_userid": "5b6215eed6814902e4d53d24",
"client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
"client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
"grant_type": "password",
"password": "password",
"provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
"username": "me@me.com"
}
HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Length: 78
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:45:14 GMT
Server: kong/1.4.0
X-Kong-Response-Latency: 25
cache-control: no-store
pragma: no-cache
{
"error": "invalid_client",
"error_description": "Invalid client authentication"
}
你需要在Consumer credential oauth中添加一个重定向url,或者本教程https://medium.com/@far3ns/kong-oauth-2-0-plugin-38faf938a468#f9d5所谓的应用程序,如果你这样做就不会落入这个if
local allowed_redirect_uris, client = get_redirect_uris(client_id)
if not (grant_type == GRANT_CLIENT_CREDENTIALS) then
if allowed_redirect_uris then
local redirect_uri = parameters[REDIRECT_URI] and
parameters[REDIRECT_URI] or
allowed_redirect_uris[1]
if not table_contains(allowed_redirect_uris, redirect_uri) then
response_params = {
[ERROR] = "invalid_request",
error_description = "Invalid " .. REDIRECT_URI .. " that does " ..
"not match with any redirect_uri created " ..
"with the application"
}
end
您可能需要通过 https(改为使用端口 8443)进行操作。你需要做这样的事情:
curl -X POST \
--url "https://api.me.io:8443/apis/oauth2/token " \
--header "Host: api.me.io" \
--data "grant_type=password" \
--data "client_id=03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" \
--data "client_secret=nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" \
--data "provision_key=uijq0y4dBFZITqirZ9QJr18DeHjaMpXS"\
--data "redirect_uri=http://localhost/cb/" \
--data "authenticated_userid=me@me.com" \
--insecure
你还应该指定一个重定向 uri(无论如何都不会被调用)。我不确定为什么会这样,但添加它让我不那么头疼了。您可以按照此 link 了解有关如何进行此操作的更多详细信息
我一直在本地设置 Kong 并测试不同类型的设置。目前我在 docker-compose 中有 kong 运行ning,可以访问网关发出请求。传入这些环境变量
environment:
- KONG_ADMIN_ACCESS_LOG=/dev/stdout
- KONG_ADMIN_ERROR_LOG=/dev/stderr
- KONG_PROXY_ACCESS_LOG=/dev/stdout
- KONG_PROXY_ERROR_LOG=/dev/stderr
- KONG_DATABASE=postgres
- KONG_ADMIN_LISTEN=0.0.0.0:8001
- KONG_PG_DATABASE=kong
- KONG_PG_HOST=postgres.me.io
- KONG_PG_USER=username
- KONG_PG_PASSWORD=password
- KONG_TRUSTED_IPS=0.0.0.0/0
- VIRTUAL_HOST=kong.me.io
- VIRTUAL_PORT=8080
我正在尝试使用 grant_type=password
设置 oauth2 插件。我不断收到 invalid_client
错误,日志中没有任何内容可以真正告诉我发生了什么。我试过跟随 https://github.com/Kong/kong/issues/2446 但没有任何运气,即使删除 client_id
也不起作用。似乎没有任何其他信息表明发生了什么。我已经将 trusted_ips
添加到 envs,这样我就不会 运行 它通过 ssl,如果你不给出 Must use https
的错误。为了使这项工作我做错了什么?这似乎是最简单的实现,但它不喜欢任何东西。
为后端 api 路由添加服务
http POST http://kong.me.io:8001/services name=me.io.apis host=api.me.io port:=5000
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 300
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:33:54 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 232
{
"client_certificate": null,
"connect_timeout": 60000,
"created_at": 1574462034,
"host": "api.me.io",
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6",
"name": "me.io.apis",
"path": null,
"port": 5000,
"protocol": "http",
"read_timeout": 60000,
"retries": 5,
"tags": null,
"updated_at": 1574462034,
"write_timeout": 60000
}
为后端 api 路径创建路由
http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/routes hosts:='["api.me.io"]' paths:='["/apis"]'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 417
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:34:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 22
{
"created_at": 1574462069,
"destinations": null,
"headers": null,
"hosts": [
"api.me.io"
],
"https_redirect_status_code": 426,
"id": "92ff918e-2a05-4768-866e-3a3061d563e4",
"methods": null,
"name": null,
"paths": [
"/apis"
],
"preserve_host": false,
"protocols": [
"http",
"https"
],
"regex_priority": 0,
"service": {
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
},
"snis": null,
"sources": null,
"strip_path": true,
"tags": null,
"updated_at": 1574462069
}
在后端路由上创建 Oauth 插件
http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/plugins name=oauth2 config:='{"enable_password_grant": true, "accept_http_if_already_terminated": true}'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 682
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:35:19 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 139
{
"config": {
"accept_http_if_already_terminated": true,
"anonymous": null,
"auth_header_name": "authorization",
"enable_authorization_code": false,
"enable_client_credentials": false,
"enable_implicit_grant": false,
"enable_password_grant": true,
"global_credentials": false,
"hide_credentials": false,
"mandatory_scope": false,
"provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
"refresh_token_ttl": 1209600,
"scopes": null,
"token_expiration": 7200
},
"consumer": null,
"created_at": 1574462119,
"enabled": true,
"id": "c3d21c32-9062-49bd-a2b0-66b4fa6ac320",
"name": "oauth2",
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"route": null,
"run_on": "first",
"service": {
"id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
},
"tags": null
}
创建一个消费者来测试
http POST http://kong.me.io:8001/consumers username=me@me.com custom_id=5b6215eed6814902e4d53d24
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 162
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:37:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 20
{
"created_at": 1574462249,
"custom_id": "5b6215eed6814902e4d53d24",
"id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80",
"tags": null,
"username": "me@me.com"
}
向测试消费者添加客户端 ID
http POST http://kong.me.io:8001/consumers/f1b5fb00-df6e-4089-b4b8-639ceb4e6a80/oauth2 name='me@me.com'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 295
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:41:21 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 29
{
"client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
"client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
"consumer": {
"id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80"
},
"created_at": 1574462481,
"id": "d533d1ad-3d2b-47ef-af87-33f7b14dbb88",
"name": "me@me.com",
"redirect_uris": null,
"tags": null
}
测试能否从kong取回钥匙
http POST http://api.me.io:8080/apis/oauth2/token "x-forwarded-proto: https" authenticated_userid="5b6215eed6814902e4d53d24" client_id="03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" client_secret="nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" grant_type=password provision_key="uijq0y4dBFZITqirZ9QJr18DeHjaMpXS" username="me@me.com" password="password" -vv
POST /apis/oauth2/token HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 301
Content-Type: application/json
Host: api.me.io:8080
User-Agent: HTTPie/1.0.2
x-forwarded-proto: https
{
"authenticated_userid": "5b6215eed6814902e4d53d24",
"client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
"client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
"grant_type": "password",
"password": "password",
"provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
"username": "me@me.com"
}
HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Length: 78
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:45:14 GMT
Server: kong/1.4.0
X-Kong-Response-Latency: 25
cache-control: no-store
pragma: no-cache
{
"error": "invalid_client",
"error_description": "Invalid client authentication"
}
你需要在Consumer credential oauth中添加一个重定向url,或者本教程https://medium.com/@far3ns/kong-oauth-2-0-plugin-38faf938a468#f9d5所谓的应用程序,如果你这样做就不会落入这个if
local allowed_redirect_uris, client = get_redirect_uris(client_id)
if not (grant_type == GRANT_CLIENT_CREDENTIALS) then
if allowed_redirect_uris then
local redirect_uri = parameters[REDIRECT_URI] and
parameters[REDIRECT_URI] or
allowed_redirect_uris[1]
if not table_contains(allowed_redirect_uris, redirect_uri) then
response_params = {
[ERROR] = "invalid_request",
error_description = "Invalid " .. REDIRECT_URI .. " that does " ..
"not match with any redirect_uri created " ..
"with the application"
}
end
您可能需要通过 https(改为使用端口 8443)进行操作。你需要做这样的事情:
curl -X POST \
--url "https://api.me.io:8443/apis/oauth2/token " \
--header "Host: api.me.io" \
--data "grant_type=password" \
--data "client_id=03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" \
--data "client_secret=nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" \
--data "provision_key=uijq0y4dBFZITqirZ9QJr18DeHjaMpXS"\
--data "redirect_uri=http://localhost/cb/" \
--data "authenticated_userid=me@me.com" \
--insecure
你还应该指定一个重定向 uri(无论如何都不会被调用)。我不确定为什么会这样,但添加它让我不那么头疼了。您可以按照此 link 了解有关如何进行此操作的更多详细信息