Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key Authentication broken in 0.10.3 and 0.11.0 #2874

Closed
prem911 opened this issue Sep 8, 2017 · 5 comments
Closed

Key Authentication broken in 0.10.3 and 0.11.0 #2874

prem911 opened this issue Sep 8, 2017 · 5 comments

Comments

@prem911
Copy link

prem911 commented Sep 8, 2017

Summary

Providing correct apikey gives HTTP 401 and response
{
"message": "No API key found in request"
}

Steps To Reproduce

  1. http POST localhost:8001/apis name=httpbin uris=/products upstream_url=http://httpbin.org
  2. http POST localhost:8001/apis/httpbin/plugins name=key-auth
  3. http POST localhost:8001/consumers username=tieske
  4. http POST localhost:8001/consumers/tieske/key-auth key=big_secret
  5. http GET http://localhost:8000/products apikey:big_secret throws 401 with "message": "No API key found in request"

Additional Details & Logs

  • Kong version ($ kong version) - 0.10.3 and 0.11.0
  • Kong debug-level startup logs ($ kong start --vv)
  • Kong error logs (<KONG_PREFIX>/logs/error.log)
  • Kong configuration (registered APIs/Plugins & configuration file)
  • Operating System - Ubuntu 16.04. Kong running in Docker

Kong has been installed using docker. Using postgres which has been installed using docker.

@p0pr0ck5
Copy link
Contributor

p0pr0ck5 commented Sep 8, 2017

@prem911 you may want to check the usage of http (the httpie application). By default, credentials are read from the query string, or request headers; you seem to be attempting to send creds via a body k/v pair, but GET requests typically do not send request bodies. May I suggest you try sending the key as a request header, or query string param? Please consult the httpie docs in this case. Thanks!

@prem911
Copy link
Author

prem911 commented Sep 9, 2017

Thanks @p0pr0ck5
Maybe I was not clear in my steps. Let me explain it and use curl instead of httpie.

Global key-auth plugin

curl -i http://kong:8001/plugins/7ac1001a-1112-45ee-bc85-2f11ead0e2b3

{"created_at":1504879360000,"config":{"hide_credentials":false,"anonymous":"","key_in_body":false,"key_names":["function"]},"id":"7ac1001a-1112-45ee-bc85-2f11ead0e2b3","enabled":true,"api_id":"d75616f5-2f19-425e-8164-7a53d6f1ee80","name":"key-auth"}

Note that key_in_body is false

API

curl -i http://kong:8001/apis/httpbin

{"created_at":1504878764000,"strip_uri":true,"id":"d75616f5-2f19-425e-8164-7a53d6f1ee80","hosts":["example.com"],"name":"httpbin","http_if_terminated":false,"https_only":false,"retries":5,"uris":["\/products"],"preserve_host":false,"upstream_connect_timeout":60000,"upstream_read_timeout":60000,"upstream_send_timeout":60000,"upstream_url":"http:\/\/httpbin.org"}

API and plugin

curl -i http://kong:8001/apis/httpbin/plugins

{"total":1,"data":[{"created_at":1504879360000,"config":{"hide_credentials":false,"anonymous":"","key_in_body":false,"key_names":["function"]},"id":"7ac1001a-1112-45ee-bc85-2f11ead0e2b3","enabled":true,"api_id":"d75616f5-2f19-425e-8164-7a53d6f1ee80","name":"key-auth"}]}

Consumer

curl -i http://kong:8001/consumers/prem

{"created_at":1504879429000,"username":"prem","id":"61a4993d-515d-4cab-a920-b52a7b297026"}

Consumer's key-auth

curl -i http://kong:8001/consumers/prem/key-auth

{"total":1,"data":[{"id":"50f1495e-3e8d-43ce-b360-c6a7941cc7ee","created_at":1504879492000,"key":"key1","consumer_id":"61a4993d-515d-4cab-a920-b52a7b297026"}]}

So, we have the api /products with a key-auth plugin enabled and a consumer with the same plugin.

API TEST

curl -i http://kong:8000/products?apikey=key1 

results in
{"message":"No API key found in request"}

I have done all the steps as per the documentation. Let me know if I have missed something.
This is too big an error to be missed out by Kong and that too in 2 releases.

@macedogm
Copy link

macedogm commented Sep 11, 2017 via email

@prem911
Copy link
Author

prem911 commented Sep 11, 2017

Thanks @macedogm Not sure how "function" was inserted. It may be done by Kong-dashboard.
However on changing it apikey, the apis have started working like charm.
Once again, thanks a lot and have a great day!

@prem911 prem911 closed this as completed Sep 11, 2017
@thibaultcha
Copy link
Member

@macedogm Thank you for giving your insight and helping on here!

It may be done by Kong-dashboard.

That is very likely indeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants