Get consumer username from basic auth username

121 views
Skip to first unread message

ric...@zschech.net

unread,
Sep 5, 2017, 12:39:33 PM9/5/17
to Kong
Hi,

I implementing a user forgot password workflow. Given the user's basic auth username (email address in my case) how do I get the consumer username? I don't see any CRUD API to get this information. The consumer username and basic auth username are not the same in my case.


But I don't know what xxx is.



Thanks for any help you can offer,
From Richard.

JP Keenan

unread,
Sep 15, 2017, 12:42:51 PM9/15/17
to Kong
Hi Richard-

There is actually an easier way to get a list of all the consumers, their created_at date, custom_id, id, and username by going to http://kong:8001/consumers/

-JPK


On Tuesday, September 5, 2017 at 9:39:33 AM UTC-7, ric...@zschech.net wrote:
Hi,

I implementing a user forgot password workflow. Given the user's basic auth username (email address in my case) how do I get the consumer username? I don't see any CRUD API to get this information. The consumer username and basic auth username are not the same in my case.

I can query by basic auth username with:


But I don't know what xxx is.

ric...@zschech.net

unread,
Sep 15, 2017, 1:36:12 PM9/15/17
to Kong
Getting http://kong:8001/consumers/ doesn't give me the basic-auth usernames. I want the consumers username looked up by their basic-auth username.

For example the consumer has username = "foo123" and a basic-auth username = "f...@example.com". Given "f...@example.com" I want to lookup "foo123".

This is pretty much what basic-auth/access.lua does in do_authentication. It gets the basic-auth username from the authorization header, looks up the basic-auth credential, then looks up the consumer.

Thanks,
From Richard.

JP Keenan

unread,
Sep 15, 2017, 1:56:28 PM9/15/17
to Kong
Hi Richard-

When you create a consumer with the basic auth plugin, there are 2 optional fields: username and custom_id. You must have a value for at least one of those.  

So, if you create a user with a command like
curl -d "username=bob&custom_id=0118999" http://localhost:8001/consumers/

When you go to :8001/consumers, you'll be returned:
{
    "data": [
        {
            "created_at": 1505493251000,
            "custom_id": "0118999",
            "id": "4d8cedeb-55c9-4eca-9473-a14ef8ea3000",
            "username": "bob"
        }
    ],
    "total": 1
}


Can you please provide the commands you run and their output so I can see what might be causing different results for you?

-JPK

ric...@zschech.net

unread,
Sep 18, 2017, 2:20:17 PM9/18/17
to Kong
Hi JPK,

I'm not concerned about creating a consumer. It is working as expected:

curl -d "username=bob&custom_id=0118999" http://localhost:8001/consumers/
{"custom_id":"0118999","created_at":1505758380000,"username":"bob","id":"ec2f4f13-3c64-43f2-839d-6130a203d326"}

If I create a basic-auth credential it also works as expected:

{"created_at":1505758497000,"id":"bc3a8beb-38ee-47a2-93be-db356a02a3a6","username":"b...@example.com","password":"80e996a28837118198adbeff5e05acebf93a5e286bcaa6742c7a33447b1cbc4d5082c1f3a67d837ebc5c042167df098122657b0000938880341dd30ec8218415","consumer_id":"ec2f4f13-3c64-43f2-839d-6130a203d326"}

My problem is that given the email address (basic-auth username) "b...@example.com" I need to find the username (consumer username). Kong has no API that I can find to do this. Kong does this internally in basic-auth/access.lua.

Without Kong providing an API I would have to query all the consumers and then for each consumer query:


Hope this explains my problem.
Thanks,
From Richard.

JP Keenan

unread,
Sep 18, 2017, 7:38:43 PM9/18/17
to Kong
Hi Richard-

Thanks, I think I understand what you are trying to do now. When you create a user with basic Auth, a new table is added to your DB that holds the following records:
        id uuid,
        consumer_id uuid REFERENCES consumers (id) ON DELETE CASCADE,
        username text,
        password text,
        created_at timestamp without time zone default (CURRENT_TIMESTAMP(0) at time zone 'utc'),
        PRIMARY KEY (id)

From the Kong Admin API, you can look up users by their username using
curl http://localhost:8001/consumers/<username>


Or by their system generated ID
curl http://localhost:8001/consumers/<ID>

But you can not lookup users by custom_id. But, if I understand what you are trying to do correctly, I think it could be accomplished with a command along the lines of
curl http://localhost:8001/consumers/ | grep b...@example.com

The first part of the command will bring in a list of every consumer along with all of their information, then, if you pip that into grep and look for the specific account you need to get information about.

Is this closer to what you are trying to do? 

ric...@zschech.net

unread,
Sep 18, 2017, 8:54:51 PM9/18/17
to Kong
Yes, basic auth credentials are store id a different table.

No, I'm not trying to lookup a consumer by username: curl http://localhost:8001/consumers/<username>

No, I'm not trying to lookup a consumer by custom_id: curl http://localhost:8001/consumers/ | grep b...@example.com

If you want the problem described at the table level, then I can do that.

The consumer table has a column username. The basicauth_credentials also has a column username. What I want to do is lookup the consumer.username by the basicauth_credentials username. For example:

select consumer.username from consumer join basicauth_credentials on consumer.id = basicauth_credentials.consumer_id where basicauth_credentials.username = "b...@example.com"

Currently Kong doesn't do this join. It does two lookups, on for the basicauth_credentials by username, then the other by consumer by the consumer_id. Have you looked at how basic-auth/access.lua gets the consumer for the basic auth username?

I need to lookup the consumer's username based on a given basicauth_credentials.username.

JP Keenan

unread,
Sep 19, 2017, 4:22:38 PM9/19/17
to Kong
Hi Richard!

Unfortunately, there is not a way to do this directly through Kong.

However, you could create a mock API and point it to httpbin.org/get, enable basic-auth on that API, then pass in the credentials you have and look at the response to see the consumer-id. Not the most direct way, but this will also work for you.

-JPK

ric...@zschech.net

unread,
Sep 20, 2017, 9:18:18 AM9/20/17
to Kong
Hi JPK,

I don't know the users credentials only their email address. As I said in the initial post I'm trying to implement a forgot password workflow.

Relying on an external service like httpbin is hardly a workable solution :-P The mock API would also have to be restricted so external parties couldn't use it to test credentials.

Do you have any other suggestions?

Cooper Marcus

unread,
Sep 20, 2017, 12:11:06 PM9/20/17
to ric...@zschech.net, Kong
Richard, could you set the Consumer's Username or Custom ID to the user's email address? Or is that not a possibility in your situation?

--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+unsubscribe@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/3385ea17-00e0-4656-a03f-7618161ab649%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

ric...@zschech.net

unread,
Sep 20, 2017, 4:43:48 PM9/20/17
to Kong
The consumer can potentially have multiple email address stored in the basicauth_credentials table, so we couldn't store them in the username or custom id.

To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+...@googlegroups.com.

To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.

Cooper Marcus

unread,
Sep 20, 2017, 5:03:17 PM9/20/17
to ric...@zschech.net, Kong
If the consumer with email address a...@123.com went through the "forgot password" flow you are seeking, would you expect that the password associated with all their basic-auth credentials be changed? Or just one of those credentials? If all their credentials, would they all get the same password, or different passwords?

To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+unsubscribe@googlegroups.com.

To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/dbaea7e7-96cb-4ca8-9477-a3bd474a4b81%40googlegroups.com.

ric...@zschech.net

unread,
Sep 20, 2017, 7:46:53 PM9/20/17
to Kong
Good question, my initial reaction would be to only the basic-auth credentials in question as it is only that email that would go through the verification and password reset process. If needed it would be simple enough to update all the other basic-auth credentials, if I can determine the consumer id, by querying kong for http://kong:8001/consumer/xxx/basic-auth, looping over the result and then patching the password.

The problem still stands as how to query kong for the consumer id xxx given the email address.

Thibault Charbonnier

unread,
Nov 2, 2017, 6:18:44 PM11/2/17
to kong...@googlegroups.com
Hi Richard,

You may care to know that there has been some activity around that area
recently, and some community members are investing time and effort to
provide friendlier endpoints for plugins that store credentials (like
basic-auth).

As of today, we've just merged #2955:

https://github.com/Kong/kong/pull/2955

Which introduces the following endpoint for key-auth:

/key-auths/:credential_key_or_id/consumer

This endpoint can be used to retrieve a Consumer from a Key credential's
'key', or 'id'.

The author, @hbagdi also volunteered to implement the same endpoint for
other plugins, including basic-auth. You can find the PR here:

https://github.com/Kong/kong/pull/2998

You may care to comment or give your thoughts in the PR thread :)

Regards,
Thibault

On 9/20/17 4:46 PM, ric...@zschech.net wrote:
> Good question, my initial reaction would be to only the basic-auth
> credentials in question as it is only that email that would go through
> the verification and password reset process. If needed it would be
> simple enough to update all the other basic-auth credentials, if I can
> determine the consumer id, by querying kong for
> http://kong:8001/consumer/xxx/basic-auth, looping over the result and
> then patching the password.
>
> The problem still stands as how to query kong for the consumer id xxx
> given the email address.
>
>
>
>
> On Wednesday, September 20, 2017 at 5:03:17 PM UTC-4, Cooper Marcus wrote:
>
> If the consumer with email address a...@123.com <javascript:> went
> through the "forgot password" flow you are seeking, would you expect
> that the password associated with all their basic-auth credentials
> be changed? Or just one of those credentials? If all their
> credentials, would they all get the same password, or different
> passwords?
>
> On Wed, Sep 20, 2017 at 1:43 PM, <ric...@zschech.net <javascript:>>
> httpbin.org/get <http://httpbin.org/get>, enable
> <http://consumer.id> =
> basicauth_credentials.consumer_id where
> basicauth_credentials.username = "b...@example.com"
>
> Currently Kong doesn't do this join. It does two
> lookups, on for the basicauth_credentials by
> username, then the other by consumer by the
> consumer_id. Have you looked at how
> basic-auth/access.lua gets the consumer for the
> basic auth username?
>
> I need to lookup the consumer's username based
> on a given basicauth_credentials.username.
>
>
>
>
> On Monday, September 18, 2017 at 7:38:43 PM
> UTC-4, JP Keenan wrote:
>
> Hi Richard-
>
> Thanks, I think I understand what you are
> trying to do now. When you create a user
> with basic Auth, a new table is added to
> your DB that holds the following records:
> |
>         id uuid,
>         consumer_id uuid REFERENCES
> consumers (id)ON DELETE CASCADE,
>         username text,
>         password text,
>         created_at timestamp without time
> zone default(CURRENT_TIMESTAMP(0)at time
> <http://www.google.com/url?q=http%3A%2F%2Fkong%3A8001%2Fconsumers&sa=D&sntz=1&usg=AFQjCNE-1tJlYUe4wEZ5XX9J8wdJsJNayQ> doesn't
> <http://kong:8001/consumers>
>
> -JPK
>
>
> On Tuesday, September 5,
> 2017 at 9:39:33 AM UTC-7,
> ric...@zschech.net wrote:
>
> Hi,
>
> I implementing a user
> forgot password
> workflow. Given the
> user's basic auth
> username (email address
> in my case) how do I get
> the consumer username? I
> don't see any CRUD API
> to get this information.
> The consumer username
> and basic auth username
> are not the same in my case.
>
> I can query by basic
> auth username with:
>
> http://kong:8001/consumers/xxx/basic-auth?username=f...@example.com
> <http://kong:8001/consumers/xxx/basic-auth?username=f...@example.com>
>
> But I don't know what
> xxx is.
>
> http://kong:8001/consumers/basic-auth?username=f...@example.com
> <http://kong:8001/consumers/basic-auth?username=f...@example.com>
>
>
> Thanks for any help you
> can offer,
> From Richard.
>
> --
> You received this message because you are subscribed to
> the Google Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails
> from it, send an email to konglayer+...@googlegroups.com.
> To post to this group, send email to
> kong...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/konglayer
> <https://groups.google.com/group/konglayer>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/3385ea17-00e0-4656-a03f-7618161ab649%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/3385ea17-00e0-4656-a03f-7618161ab649%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
> For more options, visit
> https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to the
> Google Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to konglayer+...@googlegroups.com <javascript:>.
> To post to this group, send email to kong...@googlegroups.com
> <javascript:>.
> Visit this group at https://groups.google.com/group/konglayer
> <https://groups.google.com/group/konglayer>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/dbaea7e7-96cb-4ca8-9477-a3bd474a4b81%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/dbaea7e7-96cb-4ca8-9477-a3bd474a4b81%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to konglayer+...@googlegroups.com
> <mailto:konglayer+...@googlegroups.com>.
> To post to this group, send email to kong...@googlegroups.com
> <mailto:kong...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/konglayer.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/0580abd1-f600-4f0b-93d4-55fb5552e7fc%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/0580abd1-f600-4f0b-93d4-55fb5552e7fc%40googlegroups.com?utm_medium=email&utm_source=footer>.

ric...@zschech.net

unread,
Nov 2, 2017, 7:26:06 PM11/2/17
to Kong
2998 is precisely what I want. Thanks!
>                                                 http://kong:8001/consumers/xxx/basic-auth?username=foo@example.com
>                                                 <http://kong:8001/consumers/xxx/basic-auth?username=foo@example.com>
>
>                                                 But I don't know what
>                                                 xxx is.
>
>                                                 http://kong:8001/consumers/basic-auth?username=foo@example.com
>                                                 <http://kong:8001/consumers/basic-auth?username=foo@example.com>
Reply all
Reply to author
Forward
0 new messages