The OpenID Connect plugin is complex, so integrating with third-party identity providers can present challenges.
If you have issues with the OIDC plugin, try the following:
- Set Kong log level to
debug
, and check the Kongerror.log
(you can filter it withopenid-connect
):KONG_LOG_LEVEL=debug kong restart
- Set the Kong OpenID Connect plugin to display errors:
{ "config": { "display_errors": true } }
- Disable the Kong OpenID Connect plugin verifications and see if you get further, just for debugging purposes:
{ "config": { "verify_nonce": false, "verify_claims": false, "verify_signature": false } }
- See what kind of tokens the Kong OpenID Connect plugin gets:
{ "config": { "login_action": "response", "login_tokens": [ "tokens" ], "login_methods": [ "password", "client_credentials", "authorization_code", "bearer", "introspection", "userinfo", "kong_oauth2", "refresh_token", "session" ] } }
With session related issues, you can try to store the session data in Redis
or memcache
as that will make the session
cookie much smaller. It is rather common that big cookies do cause issues. You can also enable session
compression.
Also try to eliminate indirection as that makes it easier to find out where the problem is. By indirection, we mean other gateways, load balancers, NATs, and such in front of Kong. If there is such, you may look at using:
- port maps
-
X-Forwarded-*
headers