Kong API gateway Oauth2 grant_type=password invalid_client 错误，无论我更改啥

Posted 2023-03-28

【中文标题】Kong API gateway Oauth2 grant_type=password invalid_client 错误，无论我更改啥

【英文标题】：Kong API gateway Oauth2 grant_type=password invalid_client error no matter what I changeKong API gateway Oauth2 grant_type=password invalid_client 错误，无论我更改什么

【发布时间】：2020-03-19 01:03:45

【问题描述】：

我一直在本地设置 Kong 并测试不同类型的设置。目前，我有 kong 在 docker-compose 内运行，可以访问发出请求的网关。传入这些环境变量

environment:
  - KONG_ADMIN_ACCESS_LOG=/dev/stdout
  - KONG_ADMIN_ERROR_LOG=/dev/stderr
  - KONG_PROXY_ACCESS_LOG=/dev/stdout
  - KONG_PROXY_ERROR_LOG=/dev/stderr
  - KONG_DATABASE=postgres
  - KONG_ADMIN_LISTEN=0.0.0.0:8001
  - KONG_PG_DATABASE=kong
  - KONG_PG_HOST=postgres.me.io
  - KONG_PG_USER=username
  - KONG_PG_PASSWORD=password
  - KONG_TRUSTED_IPS=0.0.0.0/0
  - VIRTUAL_HOST=kong.me.io
  - VIRTUAL_PORT=8080

我正在尝试使用 grant_type=password 设置 oauth2 插件。我经常收到invalid_client 错误，日志中没有任何内容可以真正告诉我发生了什么。我尝试关注https://github.com/Kong/kong/issues/2446，但没有任何运气，即使删除client_id 也不起作用。似乎没有任何其他信息表明发生了什么。我已将trusted_ips 添加到环境中，这样我就不会在 ssl 上运行它，如果你不给出Must use https 的错误。我做错了什么来完成这项工作？这似乎是最简单的实现，但它不喜欢任何东西。

为后端 api 路由添加服务

http POST http://kong.me.io:8001/services name=me.io.apis host=api.me.io port:=5000

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 300
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:33:54 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 232


    "client_certificate": null,
    "connect_timeout": 60000,
    "created_at": 1574462034,
    "host": "api.me.io",
    "id": "6f12367c-d92b-4334-a654-8f2d706b70e6",
    "name": "me.io.apis",
    "path": null,
    "port": 5000,
    "protocol": "http",
    "read_timeout": 60000,
    "retries": 5,
    "tags": null,
    "updated_at": 1574462034,
    "write_timeout": 60000

为后端 api 路径创建路由

http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/routes hosts:='["api.me.io"]' paths:='["/apis"]'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 417
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:34:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 22


    "created_at": 1574462069,
    "destinations": null,
    "headers": null,
    "hosts": [
        "api.me.io"
    ],
    "https_redirect_status_code": 426,
    "id": "92ff918e-2a05-4768-866e-3a3061d563e4",
    "methods": null,
    "name": null,
    "paths": [
        "/apis"
    ],
    "preserve_host": false,
    "protocols": [
        "http",
        "https"
    ],
    "regex_priority": 0,
    "service": 
        "id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
    ,
    "snis": null,
    "sources": null,
    "strip_path": true,
    "tags": null,
    "updated_at": 1574462069

在后端路由上创建 Oauth 插件

http POST http://kong.me.io:8001/services/6f12367c-d92b-4334-a654-8f2d706b70e6/plugins name=oauth2 config:='"enable_password_grant": true, "accept_http_if_already_terminated": true'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 682
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:35:19 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 139


    "config": 
        "accept_http_if_already_terminated": true,
        "anonymous": null,
        "auth_header_name": "authorization",
        "enable_authorization_code": false,
        "enable_client_credentials": false,
        "enable_implicit_grant": false,
        "enable_password_grant": true,
        "global_credentials": false,
        "hide_credentials": false,
        "mandatory_scope": false,
        "provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
        "refresh_token_ttl": 1209600,
        "scopes": null,
        "token_expiration": 7200
    ,
    "consumer": null,
    "created_at": 1574462119,
    "enabled": true,
    "id": "c3d21c32-9062-49bd-a2b0-66b4fa6ac320",
    "name": "oauth2",
    "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
    ],
    "route": null,
    "run_on": "first",
    "service": 
        "id": "6f12367c-d92b-4334-a654-8f2d706b70e6"
    ,
    "tags": null

创建一个消费者来测试

http POST http://kong.me.io:8001/consumers username=me@me.com custom_id=5b6215eed6814902e4d53d24

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 162
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:37:29 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 20


    "created_at": 1574462249,
    "custom_id": "5b6215eed6814902e4d53d24",
    "id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80",
    "tags": null,
    "username": "me@me.com"

向测试消费者添加客户端 ID

http POST http://kong.me.io:8001/consumers/f1b5fb00-df6e-4089-b4b8-639ceb4e6a80/oauth2 name='me@me.com'

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 295
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:41:21 GMT
Server: kong/1.4.0
X-Kong-Admin-Latency: 29


    "client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
    "client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
    "consumer": 
        "id": "f1b5fb00-df6e-4089-b4b8-639ceb4e6a80"
    ,
    "created_at": 1574462481,
    "id": "d533d1ad-3d2b-47ef-af87-33f7b14dbb88",
    "name": "me@me.com",
    "redirect_uris": null,
    "tags": null

测试是否可以从 kong 取回密钥

http POST http://api.me.io:8080/apis/oauth2/token "x-forwarded-proto: https" authenticated_userid="5b6215eed6814902e4d53d24" client_id="03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" client_secret="nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" grant_type=password provision_key="uijq0y4dBFZITqirZ9QJr18DeHjaMpXS" username="me@me.com" password="password" -vv

POST /apis/oauth2/token HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 301
Content-Type: application/json
Host: api.me.io:8080
User-Agent: HTTPie/1.0.2
x-forwarded-proto: https


    "authenticated_userid": "5b6215eed6814902e4d53d24",
    "client_id": "03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL",
    "client_secret": "nfW39yTNiDEVShtVIHovjC1aXm1VlxPd",
    "grant_type": "password",
    "password": "password",
    "provision_key": "uijq0y4dBFZITqirZ9QJr18DeHjaMpXS",
    "username": "me@me.com"


HTTP/1.1 400 Bad Request
Connection: keep-alive
Content-Length: 78
Content-Type: application/json; charset=utf-8
Date: Fri, 22 Nov 2019 22:45:14 GMT
Server: kong/1.4.0
X-Kong-Response-Latency: 25
cache-control: no-store
pragma: no-cache


    "error": "invalid_client",
    "error_description": "Invalid client authentication"

【参考方案1】：

您可能需要通过 https 进行此操作（使用端口 8443 代替）。你需要做这样的事情：

curl -X POST \
  --url "https://api.me.io:8443/apis/oauth2/token " \
  --header "Host: api.me.io" \
  --data "grant_type=password" \
  --data "client_id=03N4ehIbe44hYhnjGwO8hfW8jTHnxLSL" \
  --data "client_secret=nfW39yTNiDEVShtVIHovjC1aXm1VlxPd" \
  --data "provision_key=uijq0y4dBFZITqirZ9QJr18DeHjaMpXS"\
  --data "redirect_uri=http://localhost/cb/" \
  --data "authenticated_userid=me@me.com"  \
  --insecure

您还应该指定一个重定向 uri（无论如何都不会调用它）。我不确定为什么会这样，但添加这让我不那么头疼了。您可以关注此link，了解有关如何进行此操作的更多详细信息

【参考方案2】：

您需要在消费者凭证 oauth 中添加重定向 url，或者本教程 https://medium.com/@far3ns/kong-oauth-2-0-plugin-38faf938a468#f9d5 调用的应用程序，如果您这样做，则不会属于此情况

local allowed_redirect_uris, client = get_redirect_uris(client_id)
    if not (grant_type == GRANT_CLIENT_CREDENTIALS) then
      if allowed_redirect_uris then
        local redirect_uri = parameters[REDIRECT_URI] and
          parameters[REDIRECT_URI] or
          allowed_redirect_uris[1]

        if not table_contains(allowed_redirect_uris, redirect_uri) then
          response_params = 
            [ERROR] = "invalid_request",
            error_description = "Invalid " .. REDIRECT_URI .. " that does " ..
              "not match with any redirect_uri created "  ..
              "with the application"
          
        end