getting 500 request when trying to access /chuck API through Kong

[Mattzr]

Hi,

First of all - thanks for the amazing job for putting together this useful tutorial for integrating Keycloak and Kong.

I successfully setup the 2 with their respective configs (Chuck API protected by Nokia-OIDC plugin).

When I try to access the /chuck API I am well redirected to the keycloack login page, however after submitting the credentials, I am getting a 500 errors (browser and curl):

"request to the redirect_uri_path but there's no session state found" (and I can see the session cookies)

it looks like it's related to lua-resty-openidc and the session storage.
In your example are you experiencing the same at all ? Is there anything I am missing ?

Kong version: 0.11.1
kong-oidc: 1.0.4

Thanks !

[ncarlier]

Hi,

You are right. This is related to the session storage. I just updated the Kong Docker file to add configuration needed by the session manager: https://github.com/ncarlier/kong-integration-samples/blob/master/dockerfiles/kong/Dockerfile#L13

Can you rebuild the Kong Docker image (make compose-build) and try again ?

[Mattzr]

Thanks for quick reply. Trying again.

[Mattzr]

Looks better now !

But still having an error:

response indicates failure, status=400, body={"error":"invalid_grant","error_description":"Code not valid"}

[Mattzr]

Getting an error from Kong (when trying to call Keyloak):

2018/04/29 21:08:55 [debug] 54#0: *2493 [lua] http.lua:633: send_request():
POST /auth/realms/BackOffice/protocol/openid-connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10011
Content-Length: 559

2018/04/29 21:08:55 [debug] 54#0: *2493 [lua] openidc.lua:251: openidc_call_token_endpoint(): token endpoint response: {"error":"invalid_grant","error_description":"Code not valid"}

[ncarlier]

This seems to be more of a Keycloak configuration problem. Can you check in the KC admin console the redirection URL.
Note that the Keycloak hostname have to be the same inside the docker compose stack and outside (your internet browser). In the tutorial the hostname is keycloak.
Can you also check Keycloak logs?

[Mattzr]

I am using kubernetes for my Kong and Keycloak containers and they seem to be able to communicate fine using the internal dns or facing ingresses.

The problem is this authorization code. I will check the logs and post it here. Thanks again for your help

[Mattzr]

here is the error I am seeing from the keycloak pod:

14:30:28,552 WARN [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=BackOffice, clientId=marlin, userId=null, ipAddress=10.12.5.17, error=expired_code, grant_type=authorization_code, code_id=37320e59-b062-4d94-8827-02fa6567fa86, client_auth_method=client-secret

And from Kong:

2018/05/02 14:32:34 [debug] 53#0: *1549283 [lua] openidc.lua:251: openidc_call_token_endpoint(): token endpoint response: {"error":"invalid_grant","error_description":"Code not valid"}

It looks like Kong is not passing the correct generated code.

[ncarlier]

"Expired code" means that the time to live of the code is over. Could you check if there is a time delta between the machines / containers (or a time-zone delta).

[Mattzr]

Good point. The time zone is the same but keycloak seems to be behind kong that might be skewing the TTL.

[Mattzr]

Ok the 2 servers have the same time zone and I can't see any time zone delta issues. However I have seen this line of logs:

15:57:25,134 WARN [org.keycloak.services.managers.CodeGenerateUtil] (default task-50) Code '0f9a80d9-304f-4210-87b6-d74714266d60' already used for userSession 'ff2bb760-9cc9-4341-bfe1-5568ca01bbf7' and client 'bb50fff1-31c4-4c68-a63f-5ac0f8abc9b9'.

I don't know if this is worrying. I might checkout the keycloack server and run it in my machine in debug mode and try to troubleshoot what's the problem because I think it's coming from keycloak

[Mattzr]

Ok I found the issue and it's now fixed.

After setting up keycloak and kong as per your configuration file, when I was trying to authenticate and get a valid response from chuck api - I was getting a 502 Bad Gateway error. This was raised by my nginx server (used as an ingress controller in k8s) complaining about the header being too big.

so I simply had to increase the buffer within my kubernetes nginx controller and it fixed the issue.

For the people facing the same issue here is a good article to help configuring your ingress nginx controller:
https://andrewlock.net/fixing-nginx-upstream-sent-too-big-header-error-when-running-an-ingress-controller-in-kubernetes/

Closing this, Thanks again for your help @ncarlier !

[ncarlier]

Good to know! You're welcome.

[mfiguereogbh]

Hi,

You are right. This is related to the session storage. I just updated the Kong Docker file to add configuration needed by the session manager: https://github.com/ncarlier/kong-integration-samples/blob/master/dockerfiles/kong/Dockerfile#L13

Can you rebuild the Kong Docker image (make compose-build) and try again ?

Thanks a lot! That fixed it.

[revolunet]

This thread helped me resolve a similar issue outside of kong but with keycloak + limited nginx proxy-buffer-size that caused {"error":"invalid_grant","error_description":"Code not valid"}.

Setting a higher limit on the frontend ingress fixed the issue

Thanks for your comments 💙