Disable HTTPS for OAuth

990 views
Skip to first unread message

Luiz Omori

unread,
Mar 28, 2016, 1:54:13 PM3/28/16
to Kong
Hi,

Is there a way to disable the HTTPS requirement for OAuth2?

I found the following code in access.lua and tried to set accept_http_if_already_terminated to true and add the x-forwarded-proto header to https but it didn't work. Same error {"error_description":"You must use HTTPS","error":"access_denied"}

local function is_https(conf)
local result = ngx.var.scheme:lower() == HTTPS
if not result and conf.accept_http_if_already_terminated then
local forwarded_proto_header = ngx.req.get_headers()["x-forwarded-proto"]
result = forwarded_proto_header and forwarded_proto_header:lower() == HTTPS
end
return result
end

Other options would be:

1) Obviously, apply HTTPS: my problem here is that this is a test system and I won't have a valid signed certificate which means that I will need to fiddle with my test clients in order to make them accept that certificate.
2) Recompile the code with that check returning always true. NOOB here so trying to avoid that too.

Cheers,
Luiz

Ash Christopher

unread,
Mar 29, 2016, 10:42:01 AM3/29/16
to Kong
Hey Luiz,

There are a number of services that offer free certificates. Might be better to go that route rather than removing security from Kong. Check out https://letsencrypt.org/

Ash

Luiz Omori

unread,
Mar 29, 2016, 1:02:02 PM3/29/16
to Kong
Thanks Ash, I will check that site. Yeah, this is for some prototyping, I wouldn't remove that for production.

Regards,
Luiz

Marco

unread,
Mar 29, 2016, 3:19:43 PM3/29/16
to Luiz Omori, Kong
Hello,

A secure transport is required by the OAuth 2.0 specification, so disabling HTTPs will break the spec. I would recommend using a certificate too. On a side note, I would also recommend having the same setup in a staging environment (with SSL like in production) to avoid having unexpected surprises and have a 1-to-1 environment in both staging and prod.

Cheers


 Marco Palladino | CTO @ Mashape | mashape.com+1 (415) 361-3858

--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+...@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/c5aa44cc-9b12-4b72-8dff-410cefdeb83d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages