search

revomatico / kong-oidc

OIDC plugin for Kong
Apache License 2.0
110 stars 75 forks source link

request to the redirect_uri path but there's no session state found #34

Closed lordgreg closed 1 year ago

lordgreg commented 1 year ago

Hi,

I'm using latest Kong gateway with this plugin. I've created the service, route and plugin (I've also added the additional service and route to check if the connection without oidc plugin is working).

My hostnames are:

http://kong-gateway/ (gateway) http://kong-admin/ (as an admin api) http://example-service/ http://kong-gateway/example-service redirects to example service without OIDC and http://kong-gateway/example-oidc redirects to example service with OIDC

REDIRECT URI for oidc plugin is **http://kong-gateway/example-oidc

# SERVICES
# add service with OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-oidc"' \
--form 'url="http://example-service:8080"

# add service without OIDC
curl --location 'http://kong-admin:8001/services' \
--form 'name="example-service"' \
--form 'url="http://example-service:8080"'

# ROUTES
# add route for service with OIDC
curl --location 'http://kong-admin:8001/services/example-oidc/routes' \
--form 'paths[]="/example-oidc"' \
--form 'name="example-oidc-route"'

# add route for service without OIDC
curl --location 'http://kong-admin:8001/services/example-service/routes' \
--form 'paths[]="/example-service"' \
--form 'name="example-service-route"'

# PLUGIN
curl --location 'http://kong-admin:8001/services/example-oidc/plugins' \
--form 'name="oidc"' \
--form 'config.client_id="CLIENT_ID"' \
--form 'config.client_secret="CLIENT_SECRET"' \
--form 'config.discovery="https://OPENID-SERVER/.well-known/openid-configuration"' \
--form 'config.redirect_uri="http://kong-gateway/"'

After successful redirect, I am getting:

request to the redirect_uri path but there's no session state found.

What am I missing here?

lordgreg commented 1 year ago

After several days, I have figured out it was the dependency mismatch!

After checking the plugin versions with luarocks list I've found out that there were two versions of lua-resty-session installed:

lua-resty-session
   4.0.3-1 (installed) - /usr/local/lib/luarocks/rocks-5.1
   3.10-1 (installed) - /usr/local/lib/luarocks/rocks-5.1

The 4.0.3-1 comes from kong 3.3.0 and the 3.10-1 comes from lua-resty-openidc 1.7.6-3.

It looks like, even though 3.10-1 is installed, the configuration somehow took the version 4. As soon as I've removed the version 4 with luarocks remove lua-resty-session 4.0.3-1 --force and restarted kong, everything started working without any issues.

There is currently PR open https://github.com/zmartzone/lua-resty-openidc/pull/478 which, if updated correctly, should only include one specific version.

brafales commented 1 year ago

Same issue as https://github.com/zmartzone/lua-resty-openidc/issues/480, it'd be great to get https://github.com/zmartzone/lua-resty-openidc/pull/478 reviewed and merged.