Closed xwrs closed 6 years ago
Trojan295
commented
6 years ago Could you post our OIDC plugin configuration? Especially: did you set the session_secret? There were some problems, when this field wasn't set in the plugin or in Nginx configuration.
xwrs
commented
6 years ago @Trojan295 , no, session_secret is not set
{
"config": {
"response_type": "code",
"realm": "kong",
"scope": "openid",
"token_endpoint_auth_method": "client_secret_post",
"client_secret": "xxx",
"client_id": "xxx",
"bearer_only": "no",
"introspection_endpoint": "http://identity.sit/connect/introspect",
"ssl_verify": "no",
"discovery": "https://sts.windows.net/xxx/.well-known/openid-configuration"
},
"name": "oidc",
"enabled": true
}Setting session_secret to random string has led to following output from all requests
{"message":"An unexpected error occurred"}
and this error in Kong logs
2018/09/11 20:07:31 [error] 41#0: *1314450 [lua] responses.lua:121: access(): /usr/local/openresty/lualib/resty/core/var.lua:114: variable "session_secret" not found for writing; maybe it is a built-in variable that is not changeable or you forgot to use "set $session_secret '';" in the config file to define it first,
xwrs
commented
6 years ago Fixed using Dockerfile from this repo https://github.com/Revomatico/docker-kong-oidc
Hello. I am trying to secure my Kibana and few other Single Page apps using kong oidc plugin.
Having all rules configured I am getting the correct flow of SSO page and then I get redirected back to the application.
In only a few minutes I am getting a lot of errors in browser network log, that my authorization endpoint does not support CORS. This is another problem, and I will have to find workaround for that (Azure AD has very inconvenient limitations)
Failing requests are basically resources of the application (e.g. JavaScript or images). When I have tried to open failing urls I have got a “session state” errors and “redirect url” errors like this one:
’state from argument: 31ddca7c19b8c9b63a0a089e8075901b does not match state restored from session: nil’
So question is: is this a normal behavior? Am I missing some core configuration? I thought it may happen if the session is expired, but it occurs in few minutes after login. If i clear session cookies and storage I can work another 2-3 minutes.