search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
461 stars 331 forks source link

No session state found error when behind nginx #108

Open yavuzd opened 5 years ago

yavuzd commented 5 years ago

Hello,

I am running kong v0.12.3 as a docker container with oidc plugin built from master branch. I am using keycloak as IDP. When i directly send requests to container port things just work fine and after login kong successfully redirects to upstream url, but when i use an nginx as a loadbalancer in front the container, after login to IDP "request to the redirect_uri_path but there's no session state found" error shows up at browser. Helps appreciated, Thanks

Also my problems seems to be similar with https://github.com/zmartzone/lua-resty-openidc/issues/231 but could not find a working solution.

Failed Case:

> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => private_key_jwt
> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_basic
> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 3 => client_secret_post
> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
> 2019/02/27 10:47:59 [debug] 186#0: *735280 [lua] openidc.lua:1169: authenticate(): Redirect URI path (/rest/version/latest/isalive/) is currently navigated -> Processing authorization response coming from OP
> 2019/02/27 10:47:59 [error] 186#0: *735280 [lua] openidc.lua:1173: authenticate(): request to the redirect_uri_path but there's no session state found, client: 172.28.249.154, server: kong, request: "GET /rest/version/latest/isalive/?state=73f3830a7ed67c0e0437984bc1273356&session_state=00c01298-caa7-4061-8250-2319d55a0c2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..DLiU-HllRKN3mmaAatgK7A.tpAKWPWmu1Ivt-vO6-8VwdUrqeD5ME9tHvEidJ7PKJ4jBo9_nuGh22cX2cFR9RXOJbuaHd1yv-FJpE9LRSQnUzAhP5HyazXc4fed3TfMCeRce6AyczqIHAqKmsxZS9jSynTqk-l5jYS7mUK7eeO10ikvmRoYmesNpnoR9VA55eHGyeyXBHk4DighI1GYGbAEvu4lU7q2E__GDjlBvsT8GDsVVj6UrEtfCcPfw98QvlCGYwTCsflCuuVTUwt0YHJq.246FyZkD_yJRk0lqPvJZBg HTTP/1.1"

Successful Case:

2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 1 => private_key_jwt
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 2 => client_secret_basic
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1036: openidc_get_token_auth_method(): 3 => client_secret_post
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1038: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1066: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:1169: authenticate(): Redirect URI path (/rest/version/latest/isalive) is currently navigated -> Processing authorization response coming from OP
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:918: authenticate(): Authentication with OP done -> Calling OP Token Endpoint to obtain tokens
2019/02/27 10:44:48 [debug] 186#0: *734200 [lua] openidc.lua:374: openidc_call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body

Config for nginx in the front

location ~ (/) {
        proxy_pass  http://kong-8000;
        proxy_http_version 1.1;
        proxy_set_header Connection "Upgrade";
        #proxy_set_header Connection "Keep-Alive";
        proxy_set_header Connection "";
        proxy_buffering off;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;
        proxy_redirect     off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_read_timeout 600000;
        proxy_send_timeout 600000;
        proxy_pass_header  Set-Cookie;
        proxy_pass_header  P3P;
}
hostettler commented 5 years ago

Hello, any news on this one? I face a similar problem. When I target kong, it works but using a nginx in front I get the same error. Interesting fact, it works for Chrome, but with IE/Edge I get the no session found even with Kong (without Nginx)

caiobarbierato commented 5 years ago

Hi, had the same problem. Working Chrome, but not on Safari.