Setting config.session_secret without setting a $session_secret on Kong breaks the plugin

nokia / kong-oidc

OIDC plugin for Kong

Apache License 2.0

454 stars 320 forks source link

Setting config.session_secret without setting a $session_secret on Kong breaks the plugin #123

Open asjongers opened 5 years ago

asjongers commented 5 years ago

Hi,

Setting config.session_secret (even to a correct base64 encoded value) breaks the plugin if the $session_secret variable has not been set on Kong.

The problem disappears if you set it first on Kong (I use it in a docker environment where you can set it with the following ENV variable KONG_NGINX_PROXY_SET: "$$session_secret <yoursecret>") but then I'm not sure why you would set it through the plugin in the first place.

Couldn't that whole feature be dropped and a recommendation to set a session_secret in your Kong configuration be added in the documentation?

As a side-note, we encountered that problem when trying to fix an issue where loading static files for Kibana behind Kong would fail, thus leading us to #78 and after some more research to #1 where we discovered that setting session_secret properly on Kong itself would solve all our issues.

Thanks.

z-aliakseyeu commented 5 years ago

Hello @asjongers! This is really great comment and seems you've fixed issue with request to the redirect_uri_path but there's no session state found after redirect. I've been using kong as part of docker setup and added that environment variable without adding session_secret to the plugin. But whenever i add both - i have error kong error 500. Can you please give more detailed information how did you fix an issue? Some information about my setup:

// docker-compose.yml env variable
- KONG_NGINX_PROXY_SET="$$session_secret perfect_s3cr3+"

kong version: 0.13.0 plugin version: current master installed with luarocks install kong-oidc

If you would be able to give some more information or any clue to the issue, would be great! 🙏

Thank you

asjongers commented 5 years ago

Hi @z-aliakseyeu.

In our case, we stopped using config.session_secret as it would just end up overriding the one already set but if you really do need to set one, make sure you provide a properly base64 encoded secret or your service will probably end up sending a 500 response because of this if clause:

  if config.session_secret then
    local decoded_session_secret = ngx.decode_base64(config.session_secret)
    if not decoded_session_secret then
      utils.exit(500, "invalid OIDC plugin configuration, session secret could not be decoded", ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR))
    end
    ngx.var.session_secret = decoded_session_secret
  end

If it's not already the case, try setting config.session_secret to a proper base64 encoded secret and see if it works! You could use this website to generate one.