lua-resty-session icon indicating copy to clipboard operation
lua-resty-session copied to clipboard
verified publisher icon bungle

missing session cookie - from lua resty openidc

Open dhavalkshah opened this issue 1 year ago • 8 comments

Context: I am trying to use Kong + OpenIDC (Custom plugin), based on nokia/kong-oidc The setup is using docker desktop.

I run luarocks install lua-resty-openidc while building the custom kong image.

Following the code-snippet from my handler.lua:

local res, err = require("resty.openidc").authenticate(oidcConfig)
    if err then
        if oidcConfig.recovery_page_path then
            ngx.log(ngx.NOTICE, "Entering recovery page: " .. oidcConfig.recovery_page_path)
            ngx.redirect(oidcConfig.recovery_page_path)
        end
        utils.exit(500, err, ngx.HTTP_INTERNAL_SERVER_ERROR)
    end

I get the following error: attempt to call method 'start' (a nil value), client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"

I figured that it was from session:start() present in openidc. It seemed that session was not getting initialized, so I tried similar in my local handler.lua. Following is the code from my local handler.lua (inspired from openidc)

    local session, err, ret = require("resty.session").open(nil)
    if (session ~= nil) then
        ngx.log(ngx.NOTICE,"session is not nil")
        ngx.log(ngx.DEBUG,
            "session.present=", session.present,
            ", session.data.id_token=", session.data.id_token ~= nil,
            ", session.data.authenticated=", session.data.authenticated,
            ", err=", err,
            ", ret=",ret
        )
        session:start()
    else
        ngx.log(ngx.NOTICE, "Session is nil")
    end

I observe that session is not null and err is printed is as "missing session cookie". Here is the snippet of the logs

2024-10-07 11:16:12 2024/10/07 05:46:12 [notice] 2413#0: *20313 [lua] handler.lua:73: make_oidc(): OidcHandler calling authenticate, requested path: /mock, client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"
2024-10-07 11:16:12 2024/10/07 05:46:12 [notice] 2413#0: *20313 [lua] handler.lua:76: make_oidc(): session is not nil, client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"
2024-10-07 11:16:12 2024/10/07 05:46:12 [debug] 2413#0: *20313 [lua] handler.lua:77: make_oidc(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, err=missing session cookie, ret=false
2024-10-07 11:16:12 2024/10/07 05:46:12 [error] 2413#0: *20313 [kong] init.lua:426 [fountane-oidc] ...cal/share/lua/5.1/kong/plugins/fountane-oidc/handler.lua:84: attempt to call method 'start' (a nil value), client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"

Not sure what am I missing here. Any pointers are appreciated.

dhavalkshah avatar Oct 07 '24 05:10 dhavalkshah

I'm having the identical issue. Interested to see if you ever figured it out. It seems like the cookie cannot be read by resty.session when the request comes in. I see the client presenting the cookie but the read fails. I am using lua-resty-session within Kong 3.9 and this fork of kong-oidc.

chrissnell avatar Mar 21 '25 00:03 chrissnell

Hi @chrissnell ! We also use Kong 3.9 with a fork of revomatic/kong-oidc.

Did you succeed installation?

seboudry avatar Apr 15 '25 13:04 seboudry

Hi @chrissnell ! We also use Kong 3.9 with a fork of revomatic/kong-oidc.

Did you succeed installation?

No! I still haven't figured this out. Did you get it working? Can you link me to your fork? Thanks.

chrissnell avatar Apr 15 '25 14:04 chrissnell

Might work with our fork https://github.com/QuickSign/kong-oidc.

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

For example:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: oidc-company-sso-my-app
  annotations:
    kubernetes.io/ingress.class: kong-private
plugin: oidc
config:
  client_id: my_app_client_id
  client_secret: my_app_clien-secret
  discovery: https://sso.company.com/my-app/.well-known/openid-configuration
  redirect_uri: https://my-app.company.com/redirect_uri

Can you test it too @chrissnell?

seboudry avatar Apr 15 '25 14:04 seboudry

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

Setting this to a non-existing path just sends the client to the main page of my application. How do I get this to redirect back to the particular path (URI) that we are trying to protect with OIDC?

chrissnell avatar Apr 16 '25 17:04 chrissnell

I faced same issue that OIDC cookie would be lost after upgrading lua-session 4.1.1. 4.0.5 is working fine for this.

kou0312-png avatar Apr 22 '25 01:04 kou0312-png

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

Setting this to a non-existing path just sends the client to the main page of my application. How do I get this to redirect back to the particular path (URI) that we are trying to protect with OIDC?

Client should be redirect to the first URI he tried to reach before being handled by OIDC workflow.

seboudry avatar Apr 22 '25 20:04 seboudry

@kou0312-png, the 4.1.2 ia now released.

bungle avatar Jun 10 '25 19:06 bungle