Open ledbruno opened 3 years ago
An update on this, now the error is
2020/09/21 15:46:17 [error] 22#0: *426 [lua] openidc.lua:1173: authenticate(): request to the redirect_uri_path but there's no session state found,
Tried to fix with the solutioin described at https://github.com/zmartzone/lua-resty-openidc/issues/231
/usr/local/kong # cat /tmp/custom_nginx.conf
set $session_secret bla; set $session_cookie_samesite off;
The redirect from cognito to kong is si same-site=Lax
The result is
For some unknown reason, session is not correctly started. Disabling some verification on openidc.lua
Then
*31970 [lua] openidc.lua:1210: authenticate(): session.present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
Everything works well.. on a first sight :)
@ledbruno May I know if you are using the Nokia Kong OIDC plugin as a route plugin? I recently tried to set up a Kong with this custom plugin and found that config.redirect_uri_path
may be affecting the behaviour.
@jacky96623 its applied on a Service not a route.
I've bypassed the problem with a source code customization and changing the redirect_uri_path and scheme attributes
I had the same problem and was able to fix it by setting the $session_name variable in the server block.
Why? I'm not sure. Example:
server {
...
server_name proxy.localhost;
#lua_code_cache off;
set $session_name nginx_session;
location / {
access_by_lua_block {
local opts = {
redirect_uri = "http://proxy.localhost/cb",
discovery = "http://127.0.0.1:9000/.well-known/openid-configuration",
client_id = "proxyclient-id",
client_secret = "secret",
ssl_verify = "no",
scope = "openid"
}
-- call authenticate for OpenID Connect user authentication
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-USER", res.id_token.sub)
}
proxy_pass http://localhost:8080/;
proxy_set_header x-forwarded-proto $scheme;
}
}
Another thing to pay attention to is the lua_code_cache off directive; It could break the session. See: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off
@ledbruno what was the fix? i m having the same error request to the redirect_uri path but there's no session state found.
I m running NGINX on kubernetes.
The basic change was on other lib https://github.com/zmartzone/lua-resty-openidc
We have a lot of unrelated changes, so that's why i didn't open a Pull request with the single fix. If you really need this, please let me know and we can work a separate branch just whis this.
This was resolved by setting set $session_secret 623q4hR325t36VsCD3g567922IC0073T;
and set $session_name nginx_session;
Hello, first of all: congrats for the good job, its an awesome solution!
I´m trying to connect Kong to cognito, through this plugin but i have some questions. I did some plugin and Cognito setup and i´m stuck in this scenario:
1) Kong connects to plugin and get a Authorization code. 2) Cognito execute the call to kong with authorization code https://localhost:8443/auth-sample?code=3107ccb1-837e-4bc3-ac9f-18fef551ed53
My cognito conf:![image](https://user-images.githubusercontent.com/916289/93625477-67dc2200-f9b8-11ea-9c67-f381011c0463.png)
My plugin conf:
{"realm": "kong", "scope": "openid", "filters": null, "client_id": "123", "discovery": "https://cognito-idp.us-east-1.amazonaws.com/us-east-bla/.well-known/openid-configuration", "ssl_verify": "no", "bearer_only": "no", "logout_path": "/logout", "client_secret": "bla", "response_type": "code", "session_secret": "bla", "redirect_uri_path": null, "recovery_page_path": null, "introspection_endpoint": null, "redirect_after_logout_uri": "/", "token_endpoint_auth_method": "client_secret_post"}
The questions are: 1) Who is supposed to be the authorization callback? Kong, cognito or other service. My first impression is that kong should be the one, according the docs![image](https://user-images.githubusercontent.com/916289/93624623-06678380-f9b7-11ea-8407-1bbd8bd25f35.png)
But if kong should handle this callback, what is the endpoint/service? Should the oidc plugin be enabled for this service?
2) What does it mean this?
Should i call GET /API with the authorization code? How should i pass this, which header?