Closed LuanP closed 5 years ago
This is caused by the behavior of lua-resty-openidc
and a consequence of a design decision made there, i.e. to start a (single) session to track the user even before authentication actually occurred. So the secondly started request eclipses/overwrites the first request. @bodewig I don't think we will change that, thus we will not support this scenario, agreed? (e.g. mod_auth_openidc handles this scenario with per-request state cookies which end up creating their own difficulties)
Hi @zandbelt,
Thanks a lot for the fast reply.
I know it's a specific scenario with a weird but possible user behavior.
In case you know some workaround for that issue without having to implement a different RP, that'd be great.
Thanks again for taking the time to explain that.
A workaround for that was to set the recovery_page_path to the homepage.
Hi,
I'm facing an issue when I follow the steps:
Although, the user is logged in (if I try accessing a protected route again, it works normally).
2019/03/14 23:39:44 [error] 120#0: *15122 [lua] openidc.lua:1042: authenticate(): state from argument: e308653d5e92e20a9b93d884c0578cf0 does not match state restored from session: d24508a745b72ca268f972c18989845d, client: 172.18.0.1, server: kong, request: "GET /backend/callback?code=eb17492643e14a1d9e3625a602fbd5d5&state=e308653d5e92e20a9b93d884c0578cf0&session_state=36fe60501ebbb9a1cd2749e335121a979318447160b4929fe91aa3ee152cb0bd.c9e1dfcb9a191e79d9967ff806a4c674 HTTP/1.1", host: "localhost:8000", referrer: "http://localhost:8000/login/?next=/openid/authorize%3Fresponse_type%3Dcode%26client_id%3D227868%26state%3De308653d5e92e20a9b93d884c0578cf0%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%252Fbackend%252Fcallback%26nonce%3Dc89e407690370d562576559007a5eb18%26scope%3Dopenid"
Is there someone with the same issue?
Can you help me with that?
Extra info:
Thanks a lot,
Kind regards.