-
-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Static/dynamic $session_secret dilemma #213
Comments
It looks as if you were setting |
My apologies for not making it clear, In the example configuration provided, |
As a side note, the module's It is just the |
Also, answering my earlier question, switching to |
Based on 2. (an explicit secret being set) I don't think the problem is with the session backend, I suspect some confusion with the hostname in the URL that is being accessed and the redirect URI that is constructed. |
Stefan, Hans, |
thank you for reporting so this issue can guide people with the same problem to the solution! |
@archzone Can you share me the version of Your solution is for the both scenario 1 and 2 ? |
I am running the same SSO scenario but swapping Apache
mod_auth_openidc
with its Nginxlua-resty-openidc
equivalent. Now I have a dilemma with regard toset $session_secret [secret]
configuration innginx.conf
where neither of the two options can get past authentication:$session_secret
is not set, i.e. random value is generated dynamically every time, the final callback to theredirect_uri
fails withauthenticate(): request to the redirect_uri path but there's no session state found
(the final call to the IDP is not even attempted).$session_secret
is assigned to a static value, the final callback to theredirect_uri
fails withresponse indicates failure, status=400, body={"error":"invalid_grant","error_description":"Code not valid"}
(IDP is called but complains that the code has already been used for user session).The
$session_secret
parameter was discussed in #30 and #39, and as far as I understand, has the same meaning asOIDCCryptoPassphrase
on Apache. The swap to Nginx is the only delta in my environment, so whichlua-resty-openidc
or Nginx settings am I missing to make SSO work, just like with Apache?Could switching to alternative
$session_storage
methods help resolve the issue?Environment
Expected behaviour
The final callback to the
redirect_url
Ok's authentication and redirects to the requested URL.Actual behaviour
The user successfully authenticates to the IDP (confirmed) but cannot be redirected to the origin.
Minimized example
set $session_storage cookie;
set $session_secret [secret]; # commented out in scenario 1
set $session_cookie_httponly on;
set $session_cookie_persistent on;
location /private {
access_by_lua_block {
local opts = {
discovery = [url],
redirect_uri_scheme = "http",
redirect_uri = "/private/callback",
client_id = [id],
client_secret = [secret],
scope = "openid"
}
local res, err = require("resty.openidc").authenticate(opts);
if err then
ngx.status = 403;
ngx.log(ngx.STDERR, err);
ngx.exit(ngx.HTTP_FORBIDDEN);
end
}
try_files $uri $uri/ /index.html;
}
Configuration and Nginx server log files
[Scenario 1: $session_secret is not defined]
2018/10/21 15:50:00 [error] 25636#8168: *1 [lua] openidc.lua:1301: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=355a5d4cb33cdda3f6de6535833f8fb0&session_state=7fd771ca-2c10-43de-8017-0c7a6224e3ce&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..70Gw4W-nh4ese1a0n1rugw.jSroxxVfwyOsMZb1R_cFcl3ixkvkqBJzwLyoE1qKuo8fxYZs6rgQN6k_KSnF-34UZGboHFdn2tqRsq14s1vngDMidsw83ROGZZWyVUD1c13E2G7MO_pOtL-3RDgXungeDIJzhV3yeW5gs92VfZTg0jtFKkUxJuXTyoF2BBo20MDwg7DMMfNH8RHOxT5VIa1yOA3O-uNNr-OhkSeLihbqJ4saw2It3h2lF7Nbx9gZgcv49W9LrFsVB2uioakZ_kza.EuRchB2Q123Ju0Gpcak7ow HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=355a5d4cb33cdda3f6de6535833f8fb0&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=3525ec78a97c82f18955cdaa41eb5a7d&scope=openid"
2018/10/21 15:50:00 [] 25636#8168: *1 [lua] access_by_lua(broker-pro.conf:111):26: request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=355a5d4cb33cdda3f6de6535833f8fb0&session_state=7fd771ca-2c10-43de-8017-0c7a6224e3ce&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..70Gw4W-nh4ese1a0n1rugw.jSroxxVfwyOsMZb1R_cFcl3ixkvkqBJzwLyoE1qKuo8fxYZs6rgQN6k_KSnF-34UZGboHFdn2tqRsq14s1vngDMidsw83ROGZZWyVUD1c13E2G7MO_pOtL-3RDgXungeDIJzhV3yeW5gs92VfZTg0jtFKkUxJuXTyoF2BBo20MDwg7DMMfNH8RHOxT5VIa1yOA3O-uNNr-OhkSeLihbqJ4saw2It3h2lF7Nbx9gZgcv49W9LrFsVB2uioakZ_kza.EuRchB2Q123Ju0Gpcak7ow HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=355a5d4cb33cdda3f6de6535833f8fb0&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=3525ec78a97c82f18955cdaa41eb5a7d&scope=openid"
[Scenario 2: $session_secret is defined]
2018/10/21 16:07:31 [debug] 27300#23880: *5 [lua] openidc.lua:449: call_token_endpoint(): token endpoint response: {"error":"invalid_grant","error_description":"Code not valid"}
2018/10/21 16:07:31 [] 27300#23880: *5 [lua] access_by_lua(broker-pro.conf:111):25: response indicates failure, status=400, body={"error":"invalid_grant","error_description":"Code not valid"}, client: 127.0.0.1, server: proxyhost, request: "GET /private/callback?state=c83e67734288120fab71bb8b40f4dc7c&session_state=d859e6b3-0a4d-4e9f-95f2-d42c01889c38&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ioQiOFlBzqkOt6G_3ju7dg.tbmGxnrrU2wDg447b9kTEgZDwSDcwOcfYdHOKF58J179HVYTcrx-3zRVORRveqa-8hQAnuFH0tRWUKtXAp-o2ckhG-5AebhWLDtlMlpej54fZKfWjye_UehOOp231hEjDdLcioqR_nHFoqTMDgOyiS_iikUdNPLqHpINA1neSzpddT9vby8f9oAXs_wDfnVzEq17poYvJ7Pu2a8oA5H-8egHQIqukasZclxg07sOG2s3LZIePfAMeA2AdKHFd5__.lpyDyPduufhy_Qf-TVP5jw HTTP/1.1", host: "proxyhost:8180", referrer: "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=c83e67734288120fab71bb8b40f4dc7c&redirect_uri=http%3A%2F%2Fproxyhost%3A8180%2Fprivate%2Fcallback&nonce=70da8cfe3489487e03ed441cc2dc194a&scope=openid"
The text was updated successfully, but these errors were encountered: