lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Handling Missing id_token_hint During Logout

Open amit004 opened this issue 1 year ago • 1 comments

When using lua-resty-openidc with Keycloak for OpenID Connect, an issue arises during the logout process if the session has been removed from Redis by OpenResty. Specifically, Keycloak requires an id_token_hint to be passed during the logout request. If the session is no longer available and the id_token_hint is missing, Keycloak returns an error instead of redirecting to the post_logout_redirect_uri.

Environment
  • lua-resty-openidc version 1.7.6-3
  • OpenID Connect provider Keycloak v22.0
Expected behaviour

When the session is no longer available, the logout request to Keycloak should still proceed and redirect the user to the post_logout_redirect_uri.

Actual behaviour

Keycloak returns an error indicating that the id_token_hint is missing, and the user is not redirected to the post_logout_redirect_uri.

Minimized example

local opts = { redirect_uri = authParams.redirect_uri, logout_path = authParams.logout_path, post_logout_redirect_uri = authParams.post_logout_redirect_uri, revoke_tokens_on_logout = true, accept_none_alg = false, discovery = "https://sample.keycloak.com/keycloak/realms/example/.well-known/openid-configuration", client_id = "dev-env", client_secret = "uocPIvoy53ek", scope = "openid email profile", ssl_verify = "no", keepalive = "yes", }

  local authorization_header = ngx.var.http_authorization
  if authorization_header then
    ngx.log(ngx.INFO, "Cookie Before is ", ngx.var.cookie_session)
    authorization = string.sub(authorization_header, 7)
    local cookie_header = string.format("session=%s", authorization)
    ngx.req.set_header("Cookie", cookie_header)
  end

  local res,err, x, session = require("openidc").authenticate(opts)
  if err then
    ngx.status = 403
    ngx.say(err)
    ngx.exit(ngx.HTTP_FORBIDDEN)
  end
Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

amit004 avatar Jun 14 '24 06:06 amit004

You don't say why OpenResty may have removed the session from Redis.

If there is no session then lua-resty-openidc has no way to provide the id_token_hint.

bodewig avatar Aug 25 '24 09:08 bodewig