redirect loop after upgrade to 1.8.0

[bsiara]

trafficstars

Hi after upgrade to 1.8.0 version (latest from git) I get 302 redirection loop and problem loading site and static files: My configuration:

  lua_code_cache on;
  set $session_secret secret;
  access_by_lua_block {
    local opts = {
      --redirect_uri = "https://mydomain.coml",
      redirect_uri_path = "/callback",
      --accept_none_alg = true,
      discovery = "https://myiam.com/auth/realms/realm11/.well-known/openid-configuration",
      scope = "openid email profile",
      refresh_session_interval = 1800,
      access_token_expires_in = 86400,
      client_id = "client_id",
      client_secret = "client_secret",
      ssl_verify = "no",
      redirect_uri_scheme = "https",
      --logout_path = "/logout",
      --redirect_after_logout_uri = "https://myiam.com/auth/realms/realm11/protocol/openid-connect/logout",
      --redirect_after_logout_with_id_token_hint = false,
      session_contents = {id_token=true}
    }
    local res, err = require("resty.openidc").authenticate(opts)

    -- Authentication error or session expired - then lets start again
    if err or not res then
      -- errMsg = err and err or "Problem with auth. Try again"
      -- ngx.log(ngx.ERR, "Authentication error or session expired. Error: " .. errMsg)
      -- ngx.status = 403
      -- ngx.say(errMsg)
      -- ngx.exit(ngx.HTTP_FORBIDDEN)
      return ngx.redirect("/")
    end


    -- https://github.com/zmartzone/lua-resty-openidc/issues/222
    local function has_value (tab, val)
      for index, value in ipairs(tab) do
        if value == val then
          return true
        end
      end
      return false
    end

    local cjson = require "cjson"
    --ngx.log(ngx.ERR, cjson.encode(res))

    if has_value(res.id_token.groups, "/group11") then
      ngx.log(ngx.NOTICE, "Yep, you are fine and have valid group " .. cjson.encode(res.id_token.preferred_username))
    else
      ngx.log(ngx.ERR, "Nope, you do not have valid group " .. cjson.encode(res.id_token.preferred_username))
      ngx.status = 403
      ngx.exit(ngx.HTTP_FORBIDDEN)
    end

    if err then
      ngx.status = 500
      ngx.say(err)
      ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    end
  }

My openresty version is 1.27.1.2 Required packages version is:

ledgetech/lua-resty-http 0.17.1
lua-resty-hmac-0.06
cdbattags/lua-resty-jwt 0.2.0
hamishforbes/lua-ffi-zlib 0.6.0
fffonion/lua-resty-openssl 1.5.2
bungle/lua-resty-session 4.1.1

When browser try to download static files, sometime get 200 code or sometime 302 to reauth on my iam

In version 1.7.6 all working well.

[oldium]

The configuration has changed also due to update to lua-resty-session-4.x in lua-resty-openidc-1.8.0, so I recommend checking sample configuration, especially the part mentioning session_opts, particularly the secret value 😊.