Issues with lua-resty-openidc (and openresty.session)

ivan · 2017-02-09T22:31:24+00:00

Hello, How can I load up to 36 bytes (randomly generated) as a Big Integer and set/clear bits without losing precision or overflows? &#x...

Issues with lua-resty-openidc (and openresty.session)

ivan

Hi all,

I was trying to build a simple example of an nginx server secured by an OIDC Provider, using lua-resty-openidc.

The initial redirection to the Authorization Server works fine, the user gets authenticated and all the tokens are retrieved (using the Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps).

After obtaining the tokens that identity is stored in a session using openresty.session (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L577-L584), then this session keys are verified when revisiting the same location `/admin` in my case (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L568-L571), but the recently stored session data is null resulting on an infinite loop.

I've added some logging and my session is empty (https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf#L51-L53)

The full log of the whole infinite redirection can be found: https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0

And my nginx.conf can be found at: https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf

Any ideas why the openresty.session save is not working for me?

Thanks,

ivan

It seems that the issue is that the cookie is too big and browser won't store it - https://github.com/pingidentity/lua-resty-openidc/issues/33

On Thursday, February 9, 2017 at 3:31:25 PM UTC+1, iv...@akvo.org wrote:

Hi all,

I was trying to build a simple example of an nginx server secured by an OIDC Provider, using lua-resty-openidc.

The initial redirection to the Authorization Server works fine, the user gets authenticated and all the tokens are retrieved (using the Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps).
After obtaining the tokens that identity is stored in a session using openresty.session (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L577-L584), then this session keys are verified when revisiting the same location `/admin` in my case (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L568-L571), but the recently stored session data is null resulting on an infinite loop.

I've added some logging and my session is empty (https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf#L51-L53)

The full log of the whole infinite redirection can be found: https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0

And my nginx.conf can be found at: https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf

Any ideas why the openresty.session save is not working for me?

Thanks,

aapo.talvensaari

On Thursday, 9 February 2017 20:41:28 UTC+2, iv...@akvo.org wrote:

It seems that the issue is that the cookie is too big and browser won't store it - https://github.com/pingidentity/lua-resty-openidc/issues/33

I have added chunked cookie support to lua-resty-session that this library uses.

I will release a new 2.15 version of lua-resty-session today that contains support for

chunked cookies that you need if you are having large cookies.

tarachandverma

You can use simpler and more feature rich openidc module which is easlier to configure and supports publicKey ( RS256) JWT validation.
https://github.com/tarachandverma/nginx-openidc

On Thursday, February 9, 2017 at 9:31:25 AM UTC-5, iv...@akvo.org wrote:

Hi all,

I was trying to build a simple example of an nginx server secured by an OIDC Provider, using lua-resty-openidc.

The initial redirection to the Authorization Server works fine, the user gets authenticated and all the tokens are retrieved (using the Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps).
After obtaining the tokens that identity is stored in a session using openresty.session (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L577-L584), then this session keys are verified when revisiting the same location `/admin` in my case (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L568-L571), but the recently stored session data is null resulting on an infinite loop.

I've added some logging and my session is empty (https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf#L51-L53)

The full log of the whole infinite redirection can be found: https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0

And my nginx.conf can be found at: https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf

Any ideas why the openresty.session save is not working for me?

Thanks,

tking0036

I've been working on the same thing, I didn't like any of the oidc libraries out there so I just started calling directly into cjose with luajit ffi and got the token with lua-resty-http

On Thursday, February 9, 2017 at 9:31:25 AM UTC-5, iv...@akvo.org wrote:

Hi all,

I was trying to build a simple example of an nginx server secured by an OIDC Provider, using lua-resty-openidc.

The initial redirection to the Authorization Server works fine, the user gets authenticated and all the tokens are retrieved (using the Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps).
After obtaining the tokens that identity is stored in a session using openresty.session (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L577-L584), then this session keys are verified when revisiting the same location `/admin` in my case (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L568-L571), but the recently stored session data is null resulting on an infinite loop.

I've added some logging and my session is empty (https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf#L51-L53)

The full log of the whole infinite redirection can be found: https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0

And my nginx.conf can be found at: https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf

Any ideas why the openresty.session save is not working for me?

Thanks,