search

mozilla-iam / mozilla.oidc.accessproxy

Stand-alone OIDC Access Proxy
Mozilla Public License 2.0
12 stars 10 forks source link

Can't login after session expires #4

Closed flamingspaz closed 7 years ago

flamingspaz commented 7 years ago

After logging in with LDAP, at some point the session will expire, and the proxy will constantly redirect to the forbidden page. Logging out of the proxy or dashboard doesn't seem to help, Leo managed to work around it by clearing cookies. Everything seems to work fine with passwordless.

gdestuynder commented 7 years ago

when prompt=none fails (your auth0 session is no longer valid) it sends you back to redirect_uri which in turns sends you back to /logout which finally, sends you back to sso.mozilla.com/forbidden by default

You can change the forbidden URL by your login URL and the user will be prompted to re-authenticate with auth0 (i.e. the expected behavior). Because the login URL depends on the RP and not necessarily the proxy directly its not easy to hardcode to something really meaningful, though we could also patch the upstream library to send you back automatically to the OIDC OP (more generic method, though that means no opportunity to tell the user what happened - basically send the user back with prompt=login)

note: the error_code from auth0 seems also correct: http://openid.net/specs/openid-connect-core-1_0.html

gdestuynder commented 7 years ago

Looked at this a little more and: We probably hit https://github.com/mozilla-iam/mozilla.oidc.accessproxy/blob/master/etc/conf.d/openidc_layer.lua#L14 when that happens We could maybe figure out the error_code there (possibly directly from GET params OR res) and send the user back to login instead if the code is login_required

flamingspaz commented 7 years ago

Awesome thx, I'll do the workaround and see if I can't get to handling the error correctly sometime soon.

gdestuynder commented 7 years ago

I think Alicia in our team ran into this as well today. If i get access to our machine i can try to see if i fix it there and PR - unless you get to it first

gdestuynder commented 7 years ago

its bug in the lua-resty-openidc library will pr fix

gdestuynder commented 7 years ago

PR'd upstream at https://github.com/pingidentity/lua-resty-openidc/pull/119 It has full info on why/how this is happening I consider this closed even thus its not actually fixed until the PR is merged and released :/

in the mean time you can manually merge it, as my above comments wont in fact "fix the problem" (or even work around it)