Open netchild opened 11 months ago
bodewig
commented
11 months ago You will still need a cookie which holds the session-id. You can set the Same-site value for that via configuration (see the docs of lua-resty-session). The same-site value of Keycloak shouldn't matter much (and I would have expected it to be Lax, but don't know much about Keycloak).
bodewig
commented
11 months ago you should probably use your browser's developer tools to see whether the cookie is set, what it looks like and if it is sent back when you return from the OIDC provider.
bodewig
commented
11 months ago also, please note lua-resty-openidc uses lua-resty-session 3.x, be careful to read the matching docs. I don't know whether configuration has changed in the meantime.
netchild
commented
11 months ago also, please note lua-resty-openidc uses lua-resty-session 3.x, be careful to read the matching docs. I don't know whether configuration has changed in the meantime.
I've seen a closed issue which says it upgraded to lua-resty-session 4.0.3. Is this not in the most recent release?
netchild
commented
11 months ago You will still need a cookie which holds the session-id. You can set the Same-site value for that via configuration (see the docs of lua-resty-session). The same-site value of Keycloak shouldn't matter much (and I would have expected it to be Lax, but don't know much about Keycloak).
So a SameSite value of Lax in the settings of the to-be-protected-site should work?
netchild
commented
11 months ago I tried with "set $session_cookie_samesite Lax;"
The first request to protected.site.tld/ does a Set-Cookie session=...;SameSite=Lax. Second request goes to keycloak with auth?client_id=... and does a set-cookie for some keycloak stuff which looks ok too. 3rd goes to keycloak with required-action?... and does a set-cookie for some keycloak stuff which looks ok too. 4th goes to perfdata.../redirect_uri?... with a session cookie but fails with the 403 from the lua config above.
In the nginx error log I see now that the connection to keycloak is refused... strange. Other connections a few seconds before just worked. And if I try to reload, I get the "openidc.lua:1484: authenticate(): request to the redirect_uri path but there's no session state found," error but the cookie contains a session-cookie.
Is there a way to get a more useful error message or some kind of debug output? So far I see only ERR_INVALID_RESPONSE in Edge (could also be the corporate proxy I'm behind ATM). I will try to check tomorrow with Firefox/Chrome and no proxy.
Hi,
I have the "no session state found" problem. Keycloak seems to set the same site policy to strict and it seems google Chrome will enforce that at some point,
As such I want to switch the sessions storage to something else, maybe a SQL table, or SHM storage, or file storage.
How can I do that?
Environment
Expected behaviour
Actual behaviour
Minimized example
I tried
but this doesn't work, still no session state found.
I tried
local res, err = require("resty.openidc").authenticate(opts, nil, nil, { cookie = { storage = "shm", shm = { zone = "sessions"} } })but this doesn't work either, no session state found.Configuration and NGINX server log files
Config and logs for the minimized example, possibly provided as attachments.