search

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
Apache License 2.0
971 stars 248 forks source link

Question: Call to protected resource is successful after logout (session destroy only) #216

Closed jerneyio closed 6 years ago

jerneyio commented 6 years ago

Hi, I'm hoping this is a quick question I'm going through the following flow:

  1. Request protected resource
  2. Redirect to Login page from OP
  3. Login through OP & authenticate
  4. Redirect to originally requested resource
  5. Logout (session is destroyed according to the code, but my OP doesn't expose token revocation endpoints, so the tokens are not revoked)
  6. Request protected resource
  7. Request authenticates automatically and the endpoint returns the resource

Is this expected? I would've thought that by destroying the session on logout that lua-resty-openidc wouldn't have enough information to complete the request without having the user authenticate with their username/password again. But what I'm seeing instead is that authentication seems to be happening independent of the session. If anyone could explain why this is working this way, and if it's possible to get my desired behavior and how (after calling logout endpoint, need to authentication w/ username/password again), I'd greatly appreciate it.

bodewig commented 6 years ago

I think what you see is

  1. Request protected resource
  2. Redirect to Login page from OP
  3. OP still has an active session, automatically authenticates you and redirects back to the redirect URI
  4. lua-resty-openidc obtains a fresh token
  5. Redirect to originally requested resource

so it looks as if you had been authenticated automatically while in fact you have re-run the authorization flow, just never seen it. You can force the OP to show the login page rather than redirect back automatically by setting opts.prompt=login.

jerneyio commented 6 years ago

I think you're right on what I'm seeing. After adding opts.prompt="login". This is what I'm seeing for a call to the logout endpoint:

2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:1310: authenticate(): Logout path (/bpm/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:508: openidc_discover(): openidc_discover: URL is: http://192.168.2.3:8180/auth/realms/atis/.well-known/openid-configuration
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:514: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:385: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] http.lua:633: send_request(): 
GET /auth/realms/atis/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: 192.168.2.3:8180

2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:526: openidc_discover(): response data: {"issuer":"http://192.168.2.3:8180/auth/realms/atis","authorization_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/auth","token_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/token","token_introspection_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/userinfo","end_session_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/logout","jwks_uri":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/certs","check_session_iframe":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512"],"userinfo_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512","none"],"request_object_signing_alg_values_supported":["none","RS256"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://192.168.2.3:8180/auth/realms/atis/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"http://192.168.2.3:8180/auth/realms/atis/protocol/openid-connect/token/introspect"}
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:572: openidc_get_token_auth_method(): 1 => private_key_jwt
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:572: openidc_get_token_auth_method(): 2 => client_secret_basic
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:572: openidc_get_token_auth_method(): 3 => client_secret_post
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:574: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:602: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:1143: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:1099: openidc_revoke_token(): no revocation endpoint supplied. unable to revoke refresh_token.
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] openidc.lua:1099: openidc_revoke_token(): no revocation endpoint supplied. unable to revoke access_token.
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/10/23 14:51:59 [debug] 56#0: *604 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log

Then, the subsequent call to the protected resource looks like this (again, automatically authenticating, even w/ opts.prompt="login"):

2018/10/23 14:52:02 [debug] 56#0: *604 [lua] openidc.lua:1365: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] base_plugin.lua:28: header_filter(): executing plugin "oidc": header_filter
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] base_plugin.lua:32: body_filter(): executing plugin "oidc": body_filter
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] base_plugin.lua:36: log(): executing plugin "oidc": log
172.21.0.1 - - [23/Oct/2018:14:52:02 +0000] "GET /bpm/trainingportfolio HTTP/1.1" 302 167 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36"
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] base_plugin.lua:24: access(): executing plugin "oidc": access
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] handler.lua:46: make_oidc(): OidcHandler calling authenticate, requested path: /bpm/trainingportfolio/?state=764db3f420c7a3351ede61aa5eb59820&session_state=4333d013-243d-4ced-94ed-6adf3faa2392&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..6_f0Ajlu-i6dPd_IqrOB1w.AymnhEaKiE7Xd0Cgg6Us1-jCCh-p53fr2U9wfuF4YT0LJ_s0kZhoNC0Kqd2rkT-PwgDyDe1ag3Xc7v6rUAMB-MitPdifKL-0wV5mJgRZjW-rHQeNtmvpRMAgm-gYFvWHllLugu9mzFFA7KdC-1ldt2Z0o9cXaNPWVN7qmZYA_WnVriM9EsIfmqUicowE801qYLoEy-7WXjyzjnt8K-y4vRLBILyKq21gYpwIngAcL8ugiLWfvy49LqzKs1qasKU7.kWM_tp-ScMUEvEuWVlurgg
2018/10/23 14:52:02 [warn] 56#0: *604 [lua] openidc.lua:1283: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 172.21.0.1, server: kong, request: "GET /bpm/trainingportfolio/?state=764db3f420c7a3351ede61aa5eb59820&session_state=4333d013-243d-4ced-94ed-6adf3faa2392&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..6_f0Ajlu-i6dPd_IqrOB1w.AymnhEaKiE7Xd0Cgg6Us1-jCCh-p53fr2U9wfuF4YT0LJ_s0kZhoNC0Kqd2rkT-PwgDyDe1ag3Xc7v6rUAMB-MitPdifKL-0wV5mJgRZjW-rHQeNtmvpRMAgm-gYFvWHllLugu9mzFFA7KdC-1ldt2Z0o9cXaNPWVN7qmZYA_WnVriM9EsIfmqUicowE801qYLoEy-7WXjyzjnt8K-y4vRLBILyKq21gYpwIngAcL8ugiLWfvy49LqzKs1qasKU7.kWM_tp-ScMUEvEuWVlurgg HTTP/1.1", host: "localhost:8000"
2018/10/23 14:52:02 [debug] 56#0: *604 [lua] openidc.lua:1297: authenticate(): Redirect URI path (/bpm/trainingportfolio/) is currently navigated -> Processing authorization response coming from OP

So it looks like the same thing is happening.

jerneyio commented 6 years ago

Thanks for your patience. After adding some debug logs I found that there were some errors I was making during the build process where this value wasn't getting passed into the module. Works great now. Thanks again!