Support ready for keycloak jwt authentication?

[cdbattags]

Hi folks!

So I've been following this tutorial:

https://eclipsesource.com/blogs/2018/01/11/authenticating-reverse-proxy-with-keycloak/

And I have an access_by_lua block of:

(EDITED)

local opts = {
  discovery = "https://auth-devci.poc.learning.amplify.com/auth/realms/Amplify/.well-known/openid-configuration",

  -- the signature algorithm that you expect has been used;
  -- can be a single string or a table.
  -- You should set this for security reasons in order to
  -- avoid accepting a token claiming to be signed by HMAC
  -- using a public RSA key.
  token_signing_alg_values_expected = { "HS256" },

  -- if you want to accept unsigned tokens (using the
  -- "none" signature algorithm) then set this to true.
  accept_none_alg = false,

  -- if you want to reject tokens signed using an algorithm
  -- not supported by lua-resty-jwt set this to false. If
  -- you leave it unset, the token signature will not be
  -- verified at all.
  accept_unsupported_alg = true
}

-- call bearer_jwt_verify for OAuth 2.0 JWT validation
local res, err = require("resty.openidc").bearer_jwt_verify(opts, nil, "pass")

 if err or not res then
  ngx.status = 403
  ngx.say(err and err or "no access_token provided")
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

How could I get this working using cookie jwt validation?

[cdbattags]

With this current method I'm getting an error from keycloak of:

2018-05-21 22:07:38,215 WARN [org.keycloak.events] (default task-17) type=CODE_TO_TOKEN_ERROR, realmId=<redacted>, clientId=<redacted>, userId=null, ipAddress=<redacted>, error=expired_code, grant_type=authorization_code, code_id=<redacted>, client_auth_method=client-secret

[cdbattags]

2018/05/21 22:27:52 [error] 5#5: *20 lua entry thread aborted: runtime error: /usr/local/openresty/luajit/share/lua/5.1/resty/openidc.lua:367: attempt to concatenate field 'client_secret' (a nil value) stack traceback: coroutine 0: /usr/local/openresty/luajit/share/lua/5.1/resty/openidc.lua: in function 'openidc_call_token_endpoint' /usr/local/openresty/luajit/share/lua/5.1/resty/openidc.lua:878: in function 'authenticate'

I would love a method that doesn't require this secret whatsoever.

[cdbattags]

Ok, so got the secret working just fine now curious how I might setup jwt auth per user in keycloak.

https://www.nginx.com/blog/authenticating-api-clients-jwt-nginx-plus/

Something similar to what's outlined here?

[cdbattags]

I think I'm so close but no context into what this means jwt signature verification failed: invalid secret type (must be string or function)

[cdbattags]

Finally got it working with:

local opts = {
    discovery = "https://auth-devci.poc.learning.amplify.com/auth/realms/Amplify/.well-known/openid-configuration",

    -- the signature algorithm that you expect has been used;
    -- can be a single string or a table.
    -- You should set this for security reasons in order to
    -- avoid accepting a token claiming to be signed by HMAC
    -- using a public RSA key.
    token_signing_alg_values_expected = { "RS256" },

    -- if you want to accept unsigned tokens (using the
    -- "none" signature algorithm) then set this to true.
    accept_none_alg = false,

    -- if you want to reject tokens signed using an algorithm
    -- not supported by lua-resty-jwt set this to false. If
    -- you leave it unset, the token signature will not be
    -- verified at all.
    accept_unsupported_alg = true
}

-- call bearer_jwt_verify for OAuth 2.0 JWT validation
local res, err = require("resty.openidc").bearer_jwt_verify(opts, nil, "pass")

if err or not res then
    ngx.status = 403
    ngx.say(err and err or "no access_token provided")
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

[cdbattags]

Hi folks! So this was working locally with the Dockerfile:

FROM openresty/openresty:alpine-fat

RUN mkdir /var/log/nginx
RUN apk add --no-cache openssl-dev
RUN apk add --no-cache git
RUN apk add --no-cache gcc
RUN luarocks install lua-resty-openidc
RUN cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.pem

ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]

But now as I go to install this on my box I'm getting a brand new error:

2018/05/22 22:13:12 [error] 9403#9403: *1 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/resty/evp.lua:216: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: EVP_MD_CTX_create
stack traceback:
coroutine 0:
        [C]: in function '__index'
        /usr/local/share/lua/5.1/resty/evp.lua:216: in function 'verify'
        /usr/local/share/lua/5.1/resty/jwt.lua:812: in function 'verify_jwt_obj'
        /usr/local/share/lua/5.1/resty/openidc.lua:819: in function 'openidc_load_jwt_and_verify_crypto'
        /usr/local/share/lua/5.1/resty/openidc.lua:1390: in function 'jwt_verify'
        /usr/local/share/lua/5.1/resty/openidc.lua:1427: in function 'bearer_jwt_verify'
        access_by_lua(http_overrides.conf:461):24: in function <access_by_lua(http_overrides.conf:461):1>, client: 127.0.0.1, server: <redacted>, request: "GET <redacted> HTTP/1.1", host: "<redacted>"

I installed openresty version openresty/1.13.6.2 using:

wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add - && \
sudo apt-get -y install software-properties-common && \
sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" && \
sudo apt-get update && \
sudo apt-get -y install openresty

Any help?

Edit:

I think I'm nearly there and some quick research brought me to https://stackoverflow.com/questions/46768071/openssl-linking-undefined-reference-evp-md-ctx-new-and-fre and how my nginx might be using the wrong linker? I know the method has been replaced.

[zandbelt]

Looks like your box had openssl-dev 1.1.x installed whereas openssl 1.0.x is required.

[cdbattags]

Any plans to support latest openssl in the near future? Is this a quick goal in that I could get a fix/PR up if I spend a few days worth of work on it? More than willing to jump into this.

[zandbelt]

that's dependent on lua-resty-jwt's support for it

[cdbattags]

SkyLothar/lua-resty-jwt#79 to keep this thread updated

[miconx]

does anyone have a solution for this problem (updated package maybe?)
ich have the problem that my keycloak installation is not working anymore because of this :-(

[cdbattags]

refer to my latest comment on SkyLothar/lua-resty-jwt#79

away on vacation now but back tomorrow and I'll fork/republish package under new name for luarocks

[miconx]

are opm packages possible too?

[cdbattags]

Tomorrow main focus will be current workflow with luarocks but if someone wants to add a PR for OPM (OpenResty Package Manager) then be my guest. I'll push to add whatever support for https://github.com/SkyLothar/lua-resty-jwt is needed for this change.

[gene1wood]

This dependency change was merged into lua-resty-openidc in #165