Static/dynamic $session_secret dilemma

[archzone]

I am running the same SSO scenario but swapping Apache mod_auth_openidc with its Nginx lua-resty-openidc equivalent. Now I have a dilemma with regard to set $session_secret [secret] configuration in nginx.conf where neither of the two options can get past authentication:

• If $session_secret is not set, i.e. random value is generated dynamically every time, the final callback to the redirect_uri fails with authenticate(): request to the redirect_uri path but there's no session state found (the final call to the IDP is not even attempted).
• If $session_secret is assigned to a static value, the final callback to the redirect_uri fails with response indicates failure, status=400, body={"error":"invalid_grant","error_description":"Code not valid"} (IDP is called but complains that the code has already been used for user session).

The $session_secret parameter was discussed in #30 and #39, and as far as I understand, has the same meaning as OIDCCryptoPassphrase on Apache. The swap to Nginx is the only delta in my environment, so which lua-resty-openidc or Nginx settings am I missing to make SSO work, just like with Apache?

Could switching to alternative $session_storage methods help resolve the issue?

Environment

• lua-resty-openidc version: 1.7.0
• Nginx version: OpenResty 1.13.6.2
• platform/distro: Win64/OpenResty

Expected behaviour

The final callback to the redirect_url Ok's authentication and redirects to the requested URL.

Actual behaviour

The user successfully authenticates to the IDP (confirmed) but cannot be redirected to the origin.

Minimized example

set $session_storage cookie;
set $session_secret [secret]; # commented out in scenario 1
set $session_cookie_httponly on;
set $session_cookie_persistent on;

location /private {
access_by_lua_block {
local opts = {
discovery = [url],
redirect_uri_scheme = "http",
redirect_uri = "/private/callback",
client_id = [id],
client_secret = [secret],
scope = "openid"
}
local res, err = require("resty.openidc").authenticate(opts);
if err then
ngx.status = 403;
ngx.log(ngx.STDERR, err);
ngx.exit(ngx.HTTP_FORBIDDEN);
end
}
try_files $uri $uri/ /index.html;
}

Configuration and Nginx server log files

[Scenario 1: $session_secret is not defined]
2018/10/21 15:50:00 [error] 25636#8168: *1 [lua] openidc.lua:1301: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=355a5d4cb33cdda3f6de6535833f8fb0&session_state=7fd771ca-2c10-43de-8017-0c7a6224e3ce&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..70Gw4W-nh4ese1a0n1rugw.jSroxxVfwyOsMZb1R_cFcl3ixkvkqBJzwLyoE1qKuo8fxYZs6rgQN6k_KSnF-34UZGboHFdn2tqRsq14s1vngDMidsw83ROGZZWyVUD1c13E2G7MO_pOtL-3RDgXungeDIJzhV3yeW5gs92VfZTg0jtFKkUxJuXTyoF2BBo20MDwg7DMMfNH8RHOxT5VIa1yOA3O-uNNr-OhkSeLihbqJ4saw2It3h2lF7Nbx9gZgcv49W9LrFsVB2uioakZ_kza.EuRchB2Q123Ju0Gpcak7ow HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=355a5d4cb33cdda3f6de6535833f8fb0&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=3525ec78a97c82f18955cdaa41eb5a7d&scope=openid"
2018/10/21 15:50:00 [] 25636#8168: *1 [lua] access_by_lua(broker-pro.conf:111):26: request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=355a5d4cb33cdda3f6de6535833f8fb0&session_state=7fd771ca-2c10-43de-8017-0c7a6224e3ce&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..70Gw4W-nh4ese1a0n1rugw.jSroxxVfwyOsMZb1R_cFcl3ixkvkqBJzwLyoE1qKuo8fxYZs6rgQN6k_KSnF-34UZGboHFdn2tqRsq14s1vngDMidsw83ROGZZWyVUD1c13E2G7MO_pOtL-3RDgXungeDIJzhV3yeW5gs92VfZTg0jtFKkUxJuXTyoF2BBo20MDwg7DMMfNH8RHOxT5VIa1yOA3O-uNNr-OhkSeLihbqJ4saw2It3h2lF7Nbx9gZgcv49W9LrFsVB2uioakZ_kza.EuRchB2Q123Ju0Gpcak7ow HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=355a5d4cb33cdda3f6de6535833f8fb0&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=3525ec78a97c82f18955cdaa41eb5a7d&scope=openid"

[Scenario 2: $session_secret is defined]
2018/10/21 16:07:31 [debug] 27300#23880: *5 [lua] openidc.lua:449: call_token_endpoint(): token endpoint response: {"error":"invalid_grant","error_description":"Code not valid"}
2018/10/21 16:07:31 [] 27300#23880: *5 [lua] access_by_lua(broker-pro.conf:111):25: response indicates failure, status=400, body={"error":"invalid_grant","error_description":"Code not valid"}, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=c83e67734288120fab71bb8b40f4dc7c&session_state=d859e6b3-0a4d-4e9f-95f2-d42c01889c38&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ioQiOFlBzqkOt6G_3ju7dg.tbmGxnrrU2wDg447b9kTEgZDwSDcwOcfYdHOKF58J179HVYTcrx-3zRVORRveqa-8hQAnuFH0tRWUKtXAp-o2ckhG-5AebhWLDtlMlpej54fZKfWjye_UehOOp231hEjDdLcioqR_nHFoqTMDgOyiS_iikUdNPLqHpINA1neSzpddT9vby8f9oAXs_wDfnVzEq17poYvJ7Pu2a8oA5H-8egHQIqukasZclxg07sOG2s3LZIePfAMeA2AdKHFd5__.lpyDyPduufhy_Qf-TVP5jw HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=c83e67734288120fab71bb8b40f4dc7c&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=70da8cfe3489487e03ed441cc2dc194a&scope=openid"

[bodewig]

$session.secret seems to be the equivalent of OIDCCryptoPassphrase if I understand the latter correctly. It is the secret used to encrypt session state. If there is only one instance of lua-resty-openidc then there often is no reason to configure it explicitly.

It looks as if you were setting opts.client_secret to the same value as well, This is a completely different things and is equivalent to OIDCClientSecret in mod_auth_openidc.

[archzone]

My apologies for not making it clear, $session_secret and ops.client_secret were set to different values - to your point, they are completely different things. That aside, if the former is not set (given one instance), the module's authenticate() function complains that there's no session state found (Scenario 1).

In the example configuration provided, proxyhost is the reverse proxy where private URL is protected, and localhost is a frontend to the IDP. The latter works perfectly well with Apache, so it must be Nginx or lua-resty-openidc lacking proper configuration. Any suggestions?

[archzone]

As a side note, the module's introspect() function works well using OAuth 2.0 access token introspection endpoint for API access, in the same environment. This confirms lua-resty-openidc working in principle.

It is just the authenticate() function struggling to find session state at SSO login. Please help!

[archzone]

Also, answering my earlier question, switching to set $session_storage redis to use external Redis server did not have any effect on the problem: the module still complains with no session state found error.

[zandbelt]

Based on 2. (an explicit secret being set) I don't think the problem is with the session backend, I suspect some confusion with the hostname in the URL that is being accessed and the redirect URI that is constructed.

[archzone]

Stefan, Hans,
Thanks for paying attention. I solved the problem by installing lua-resty-hmac referenced in the lua-resty-jwt readme, i.e. the one which is compatible with OpenSSL 1.1.0 (which my instance of Nginx was built against). Previously, it was running with lua-resty-hmac compiled against OpenSSL 1.0.2.
-Alex

[zandbelt]

thank you for reporting so this issue can guide people with the same problem to the solution!

[aleboulanger]

@archzone Can you share me the version of lua-resty-hmac you've installed please ?
is it this one ? https://github.com/jkeys089/lua-resty-hmac. If it does, i can't update the current hmac version even if with the opm install jkeys089/lua-resty-hmac instruction and i have this kind of message
Package lua-resty-hmac-0.02 already installed.

Your solution is for the both scenario 1 and 2 ?