The Wayback Machine - https://web.archive.org/web/20210816120416/https://github.com/Kong/kong/issues/5067
Skip to content

/ kong

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to generate KONG client credentials on HTTP protocol. #5067

Open
tauseen2 opened this issue Sep 25, 2019 · 6 comments
Open

Unable to generate KONG client credentials on HTTP protocol. #5067

tauseen2 opened this issue Sep 25, 2019 · 6 comments
Labels
good first issue

Comments

@tauseen2
Copy link

@tauseen2 tauseen2 commented Sep 25, 2019

Can anyone please help me out. I'm getting error while generating KONG client credentials on HTTP port 8000.

{ "error_description": "You must use HTTPS", "error": "access_denied" }

I have added trusted_ips = 0.0.0.0/0,::/0 in kong.conf also, but it didn't work.
@bungle
Copy link
Member

@bungle bungle commented Sep 25, 2019
edited

Yes, OAuth2.0 Plugin only allows HTTPS or HTTP if HTTPS was terminated and there was X-Forwarded-Proto (added by a trusted source or you trust all sources, e.g. added by the client) with value of https added.
@choaryzhang
Copy link

@choaryzhang choaryzhang commented Sep 26, 2019

Please review the following codes,maybe you can fix it so easy!
--- Checks whether a request is https or was originally https (but already -- terminated). It will check in the current request (globalngxtable). If -- the headerX-Forwarded-Protoexists -- with valuehttpsthen it will also -- be considered as an https connection. -- @param trusted_ip boolean indicating if the client is a trusted IP -- @param allow_terminated if truthy, theX-Forwarded-Proto` header will be checked as well.
-- @return boolean or nil+error in case the header exists multiple times
_M.check_https = function(trusted_ip, allow_terminated)
if ngx.var.scheme:lower() == "https" then
return true
end

if not allow_terminated then
return false
end

-- if we trust this IP, examine it's X-Forwarded-Proto header
-- otherwise, we fall back to relying on the client scheme
-- (which was either validated earlier, or we fall through this block)
if trusted_ip then
local scheme = ngx.req.get_headers()["x-forwarded-proto"]

-- we could use the first entry (lower security), or check the contents of
-- each of them (slow). So for now defensive, and error
-- out on multiple entries for the x-forwarded-proto header.
if type(scheme) == "table" then
  return nil, "Only one X-Forwarded-Proto header allowed"
end

return tostring(scheme):lower() == "https"

end

return false
end

`
@scorphus
Copy link

@scorphus scorphus commented Sep 30, 2019

I'd like to fix this issue, I'll be grateful for any further tips on where to start.

Thanks!

Friendly /cc @bungle
@abimarank
Copy link

@abimarank abimarank commented Oct 21, 2019

@scorphus Have you fixed this issue?
@scorphus
Copy link

@scorphus scorphus commented Oct 22, 2019

@abimarank still finding my way around it. Do you have any tips?

/cc @thibaultcha 🙂
@preeti13456
Copy link

@preeti13456 preeti13456 commented Nov 4, 2019

1.While using docker we have the option to choose from https and http when creating an instance using an image in a container this will remove the error.
2. Not Using nginx proxy server will remove this error becaue it work only with http response
3. Graphql API should be used on the client side.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
@bungle @scorphus @abimarank @choaryzhang @preeti13456 @tauseen2