Kong: Getting info on credentials/tokens via refresh token does no longer work
Summary
In Kong < 1.0 it was possible to retrieve information on access tokens/credentials via the /oauth2_tokens endpoint, like this:
GET http://kong:8001/oauth2_tokens?refresh_token=fjhdsgfjkhdsgfdjhsfgjdf
This call now returns all access tokens instead of filtering by refresh_token.
Similarly, you could before filter by access_token via the query parameter; this has now turned into a GET /oauth2_tokens/<access token>; that works, but it does not work using the refresh_token.
Can we have the query by refresh token back?
Side note: There are a few end points, e.g. most plugin endpoints, which no longer support filtering. It used to be possible to add e.g. ?name=rate-limit to filter for rate limiting plugins; this does not work anymore either, you always get the full list back.
Additional Details & Logs
- Kong version (
$ kong version): 1.1.2-alpine - Operating system: Docker
DonMartin76
All 12 comments
Dug into the code and found out how this works in principle. The dao of the oauth2 plugin specifices endpoint_key = "access_token", so this is the only key which currently can be used to retrieve information on the token record via /oaut2_token/<access token>. Going via select_by_refresh_token would be necessary, but I am not firm enough in my Lua to be able to just add this :-(.
DonMartin76
on 2 May 2019
Yes, /oaut2_token/<access token>, perhaps this could be made to work like:
/oaut2_token/<access or refresh token>, if we consider access tokens to be unique among refresh tokens too (they should very rarely conflict).
With consumers we went with:
/consumers?custom_id=xxx making filtering by custom_id only available on collection endpoint.
bungle
on 2 May 2019
Yes, the /consumers endpoint behaviour remained the same as it was before, I think. Both solutions, using a ?refresh_token= query parameter (like before) or just checking both tokens via the same endpoint, should work; this would be super awesome to get back.
DonMartin76
on 2 May 2019
We can do necessary work and PR for this
maksimlikharev
on 6 May 2019
Another thing which is no longer working, but was useful: Querying for authenticated_userid, e.g. in order to display which sessions an authenticated user has, and e.g. allowing to delete them.
DonMartin76
on 20 Jul 2019
any eta on this? just ruined my session manager
lukasa1993
on 11 Nov 2019
+1 to filtering via authenticated_userid
ivanpk
on 4 Dec 2019
we put this issue into our board, we can start working on that in Feb
maksimlikharev
on 23 Jan 2020
@bungle - I need your input on this one,
according to your comment:
/oauth2_tokens/<access or refresh token>
currently DAO accepts only access_token and filters only by that, it is working as expected like:
/oauth2_tokens/xxxxx
but filtering is done by access_token obviously, we a bit confused how to select on 2 columns in DB.
Another obvious solution is to create new API just for refresh tokens, which at this point seems unreasonable. Any pointers you can provide to help us.
maksimlikharev
on 22 Feb 2020
@maksimlikharev so since we need to query by other parameters like authenticated_userid and probably they will be queried by specifically like ? authenticated_userid= you can do refresh_token like that as well
lukasa1993
on 22 Feb 2020
I think new way of DAO does not allow any query parameters only path argument, at least this is my observation from the code. I would like to have query arguments as well, but I'll wait for the Kong people to comment.
maksimlikharev
on 22 Feb 2020
+1
vivekpd15
on 14 Aug 2020
Related issues
plukevdh
路
52Comments
throrin19
路
39Comments
subnetmarco
路
97Comments
timusketeers
路
36Comments
jeremyjpj0916
路
81Comments
Most helpful comment
We can do necessary work and PR for this