zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
Apache License 2.0
970 stars 247 forks source link

Handling Missing id_token_hint During Logout #519

Open amit004 opened 4 months ago

amit004 commented 4 months ago

When using lua-resty-openidc with Keycloak for OpenID Connect, an issue arises during the logout process if the session has been removed from Redis by OpenResty. Specifically, Keycloak requires an id_token_hint to be passed during the logout request. If the session is no longer available and the id_token_hint is missing, Keycloak returns an error instead of redirecting to the post_logout_redirect_uri.

Environment
Expected behaviour

When the session is no longer available, the logout request to Keycloak should still proceed and redirect the user to the post_logout_redirect_uri.

Actual behaviour

Keycloak returns an error indicating that the id_token_hint is missing, and the user is not redirected to the post_logout_redirect_uri.

Minimized example

local opts = { redirect_uri = authParams.redirect_uri, logout_path = authParams.logout_path, post_logout_redirect_uri = authParams.post_logout_redirect_uri, revoke_tokens_on_logout = true, accept_none_alg = false, discovery = "https://sample.keycloak.com/keycloak/realms/example/.well-known/openid-configuration", client_id = "dev-env", client_secret = "uocPIvoy53ek", scope = "openid email profile", ssl_verify = "no", keepalive = "yes", }

  local authorization_header = ngx.var.http_authorization
  if authorization_header then
    ngx.log(ngx.INFO, "Cookie Before is ", ngx.var.cookie_session)
    authorization = string.sub(authorization_header, 7)
    local cookie_header = string.format("session=%s", authorization)
    ngx.req.set_header("Cookie", cookie_header)
  end

  local res,err, x, session = require("openidc").authenticate(opts)
  if err then
    ngx.status = 403
    ngx.say(err)
    ngx.exit(ngx.HTTP_FORBIDDEN)
  end
Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

bodewig commented 2 months ago

You don't say why OpenResty may have removed the session from Redis.

If there is no session then lua-resty-openidc has no way to provide the id_token_hint.