Skip to first unread message
iv...@akvo.org
Feb 9, 2017, 9:31:25 AM2/9/17
to openresty-en
Hi all,
I was trying to build a simple example of an nginx server secured by an OIDC Provider, using lua-resty-openidc.
The initial redirection to the Authorization Server works fine, the user gets authenticated and all the tokens are retrieved (using the Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps).
After obtaining the tokens that identity is stored in a session using openresty.session (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L577-L584), then this session keys are verified when revisiting the same location `/admin` in my case (https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L568-L571), but the recently stored session data is null resulting on an infinite loop.
I've added some logging and my session is empty (https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf#L51-L53)
The full log of the whole infinite redirection can be found: https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0
And my nginx.conf can be found at: https://github.com/akvo/learning-sessions/blob/master/nginx-secured/nginx.conf
Any ideas why the openresty.session save is not working for me?
Thanks,
iv...@akvo.org
Feb 9, 2017, 1:41:28 PM2/9/17
to openresty-en
It seems that the issue is that the cookie is too big and browser won't store it - https://github.com/pingidentity/lua-resty-openidc/issues/33
Aapo Talvensaari
Feb 13, 2017, 8:44:59 AM2/13/17
to openresty-en
On Thursday, 9 February 2017 20:41:28 UTC+2, iv...@akvo.org wrote:
It seems that the issue is that the cookie is too big and browser won't store it - https://github.com/pingidentity/lua-resty-openidc/issues/33
I have added chunked cookie support to lua-resty-session that this library uses.
I will release a new 2.15 version of lua-resty-session today that contains support for
chunked cookies that you need if you are having large cookies.
Tara Chand Verma
Jul 15, 2017, 11:37:17 AM7/15/17
to openresty-en
You can use simpler and more feature rich openidc module which is easlier to configure and supports publicKey ( RS256) JWT validation.
https://github.com/tarachandverma/nginx-openidc
https://github.com/tarachandverma/nginx-openidc
Taylor King
Jul 18, 2017, 3:27:54 PM7/18/17
to openresty-en
I've been working on the same thing, I didn't like any of the oidc libraries out there so I just started calling directly into cjose with luajit ffi and got the token with lua-resty-http
Reply all
Reply to author
Forward
0 new messages