lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Ability to configure an "external" redirect_uri, as well as a "local" path to recognize as an authorization callback

Open raythree opened this issue 2 years ago • 2 comments

As mentined in this comment:

https://github.com/zmartzone/lua-resty-openidc/issues/450#issuecomment-1258701480

Our application is using an nginx sidecar with lua-resty-openidc, and our application is behind an inbound reverse proxy that uses URLs with a prefix like "app-name" as in "https://app-name/some/path" to route. But our application is not aware of "app-name" and only looks for paths like /some/path. We thought that we could use:

opts.redirect_uri => Configure the full redirection URI to give to the auth server (https://host/app-name/callback) opts.redirect_uri_path => Configure the path to recognize as in inbound authorization callback (/callback)

It seems that if we put the "opts.redirect_uri_path" in FRONT of the "and" statement that this would work:

https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1437

However the code also indicates that "redirect_uri_path" is deprecated. It would be nice if it could be used as suggested above, where the external URL that the authorization server needs to redirect to is different from the path used to recognize it as an authorization callback.

raythree avatar Sep 27 '22 15:09 raythree

Not sure when I will get to this, but I think I'd prefer a new separate configuration parameter to make its purpose more clear. Need to think about it again, though.

bodewig avatar Sep 29 '22 16:09 bodewig

Thanks. Any two properties are fine, as long as one means "this is the URL that you need to provide as the redirect_url to the authorization server", and "this is the path is used to recognize it as a redirection callback" will work. For now, we are using the full path (redirect_uri), and then rather than having our front end router strip the path they proxy with the full path, and we strip it out in our sidecar, just after the open resty Lua block, but before going to the application. But long term, it is better to have our front end router strip it, then all applications can use the same sidecar (that does not need to strip an app-specific path).

raythree avatar Sep 30 '22 16:09 raythree

Sorry, it took longer than I had hoped. A new opts.local_redirect_uri_path has been added to the master branch just now.

bodewig avatar Nov 06 '22 17:11 bodewig

Thank you! Just saw this now, which is good timing as we are updating our sidecar. Will give this a try.

raythree avatar Jan 12 '23 15:01 raythree

this is part of the 1.7.6 release.

bodewig avatar Feb 08 '23 06:02 bodewig

Dear Mr. @bodewig : I am stucking with the problem: [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found,

And this is my lua: access_by_lua ' local opts = { redirect_uri_path = "/redirect_uri", accept_none_alg = true, discovery = "http://10.0.1.147:8080/auth/realms/master/.well-known/openid-configuration", client_id = "nginx", client_secret = "3df1bcaa-891f-4474-8c4c-6ab5944fa9ab", redirect_uri_scheme = "http", ssl_verify = "no", logout_path = "/logout", redirect_after_logout_uri = "http://10.0.1.147:8080/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http://10.0.1.146", redirect_after_logout_with_id_token_hint = true, session_contents = {id_token=true} } -- call introspect for OAuth 2.0 Bearer Access Token validation local res, err = require("resty.openidc").authenticate(opts)

     if err then
       ngx.status = 403
       ngx.say(err)
       ngx.exit(ngx.HTTP_FORBIDDEN)
     end
  ';

could you help me to solves this ? thank you very much

thanhdm86 avatar Jan 16 '24 09:01 thanhdm86