Pin version of lua-resty-openidc

[thomasleplus]

          @thomasleplus : thank you very much!

I tested the updates and I get an error error opening session (missing session audience) on return from authentication. ~The error seems to be introduced by the change from openresty:1.25.3.1 -> 1.25.3.2 (FROM openresty/openresty:1.25.3.1-alpine-fat@sha256:17868b5ec232561bc64862160296c3f8480650bc4cbc19b88e056750bd78f527 to FROM openresty/openresty:1.25.3.2-alpine-fat@sha256:aa8ea52fa35a296558aed8b392fb39d575e39dd4a7717fa44f1fd6fc09c1185d).~ At least if I change that line back, it seems to work again. I will have a look, if I see the problem.

Edit:

• The problem seems to be, that https://github.com/zmartzone/lua-resty-openidc updated to v1.8.0 in the meanwhile
• They incorporate the v4.x version of https://github.com/bungle/lua-resty-session
• The current session calls do not work with that session version somehow.

To fix the current built the Dockerfile needs to add --pin 1.7.6 to the oidc lib:

&& /usr/local/openresty/luajit/bin/luarocks install lua-resty-openidc --pin 1.7.6 \

What do you think?

Originally posted by @tft7000 in https://github.com/leplusorg/openid-connect-provider-debugger/issues/95#issuecomment-2378817796

[thomasleplus]

@tft7000 I have been meaning to pin the version of lua-resty-openidc since it's a best practice anyway. Just never got around to do it (plus I am not looking forward to have one more version to track and bump regularly). But we just saw a clear demonstration that it's worth it so now it's done. If I could request your help in testing again, I would greatly appreciate it.

[tft7000]

@thomasleplus :

I tested #102 locally:

• clone the project
• adapt the build script (add --no-cache)
• tested main -> it worked -> I later realized that the branch was merged already
• tested 101-pin-lua-resty-openidc -> it worked (login and logout in an automated test)

meanwhile the image is out on docker hub:

• testing the image leplusorg/openid-connect-provider-debugger:main -> it worked the same way

thank you very much!

[thomasleplus]

Thank you! I still have to figure out what's the issue with lua-resty-openidc 1.8.0. I'd like to solve that before releasing but if I am stalled I'll release as it is now and make it the new latest docker tag.

Cheers

[thomasleplus]

@thomasleplus :

I tested #102 locally:

• clone the project
• adapt the build script (add --no-cache)
• tested main -> it worked -> I later realized that the branch was merged already
• tested 101-pin-lua-resty-openidc -> it worked (login and logout in an automated test)

meanwhile the image is out on docker hub:

• testing the image leplusorg/openid-connect-provider-debugger:main -> it worked the same way

thank you very much!

You mentioned an automated test. Do you think that's something that you could contribute as well? If not it's OK but I am unhappy with the current test (it's just checking that the container starts and responds to a curl HTTP request). I meant to improve it but haven't found the time so far.

[tft7000]

@thomasleplus :

You mentioned an automated test. Do you think that's something that you could contribute as well? If not it's OK but I am unhappy with the current test (it's just checking that the container starts and responds to a curl HTTP request). I meant to improve it but haven't found the time so far.

Unfortunately that is not possible, as I use this OIDC client to test our company product.

I was shortly looking around and I probably would do it in the following way:

• I would use https://github.com/panva/node-oidc-provider

  // standalone.js - run with `node standalone.js`
  import Provider from 'oidc-provider';
  const configuration = {
    // refer to the documentation for other available configuration
    clients: [{
        client_id: 'foo',
        client_secret: 'bar',
        redirect_uris: ['http://localhost:8080/debug'],
        // ... other client properties
        pkce: { methods: ['S256'] }
    }],
  };
  
  const oidc = new Provider('http://localhost:3000', configuration);
  
  oidc.listen(3000, () => {
    console.log('oidc-provider listening on port 3000, check http://localhost:3000/.well-known/openid-configuration');
  });

  with package.json

  {
  "dependencies": {
    "oidc-provider": "^8.5.1"
  },
  "name": "test-op",
  "main": "standalone.js",
  "type": "module"
  }

  so the directory structure could look this this:

  - test-op
  - package.json
  - package-lock.json
  - standalone.js

• next you need to support PKCE in your RP, as the server is requiring it.
  • I think you just need to support the flag use_pkce = false from the lua-resty-openidc lib
• then you can startup the node app (OP) node standalone.js and the docker app (RP)
• (you probably need a defined local IP, as in the docker app, resty will access the discovery URL and that can neither be localhost nor 127.0.0.1)
• go to http://localhost:8080 and enter the info or in a test call the debug URL directly, e.g. http://localhost:8080/debug?oidc_client_id=foo&oidc_client_secret=bar&oidc_discovery=http%3A%2F%2F10.200.20.1%3A3000%2F.well-known%2Fopenid-configuration&oidc_redirect_uri=&oidc_scope=openid
• If you can somehow integrate that in a pipeline (e.g. with docker-compose and use service names), then you can write a cypress test - or whatever test framework you like.

I hope this helps as a starter.

[thomasleplus]

OK, no worries I totally understand. I will revisit soon.