-
-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
with 1.7.1 , session keeps being lost / reinitialized #249
Comments
would you have a server debug log as well? |
@bodewig any clue? |
well, https://github.com/mozilla-iam/mozilla.oidc.accessproxy/blob/master/etc/conf.d/openidc_layer.lua#L15 destroys the session whenever an error occurs - it might be a good idea to log the actual error. It is quite possible the error is related to the session change, but it could also be triggered by any other change between 1.6.1 and 1.7.1. As I haven't got any Auth0 or AWS setup to play with I have tried to hack @gdestuynder we really need to know what |
Just a random idea. In one of my $work projects we use ORY Hydra which announces to support multiple token auth methods but the method you are expected to use is configured with the client. By default lua-resty-openidc picks the first method announced it supports, which may be the wrong one in our case. If Auth0 does something similar then it might announce This is just one example where |
Workaround lua-resty-openidc bug zmartzone/lua-resty-openidc#249
This gets us mozilla-iam/mozilla.oidc.accessproxy#36 which works around the bug in zmartzone/lua-resty-openidc#249
Any progress on this one? |
Hi,
thus as per #249 (comment) we most likely need to configure |
In this case lua-resty-openidc picks |
I got these from @fiji-flo :)
it doesn't provide |
The only thing we can see in this log is "there is no session" but not why there is none. I don't see any of the log messages that would be associated with lua-resty-openidc creating/refreshing new sessions. What we also see is the logout function being invoked, which is something your code must be doing as the normal We probably need to see the log from the point before the initial redirection to the OP happens until this error state occurs. |
yes the code will definitely call logout when err is set / when theres no session |
any news on this? |
closing this for lack of information |
Environment
Expected behaviour
Web site authenticates the user and the session of the user is kept until the session expires
Actual behaviour
Web site re-authenticate the user for every single request
Minimized example
and browse to localhost
Notes
Reverting to 1.6.1 fixes that behavior. I haven't looked at what changed exactly, I suspect due to
session:start()
changes or some of the race condition fixes thoughOr, alternatively, maybe the session should be setup differently before calling the library (in which case a change in the readme would be nice)
The text was updated successfully, but these errors were encountered: