Authorization response never processed (redirect loop)

[jgoux]

EDIT II:

After trying to set the redirect_uri as http://authentification.dev.local/ (note the final "/"), I realize that the hostname part is not parsed. When I access http://private.dev.local/ it assumes that I'm on the redirect URI path :

172.23.0.1 - - [26/Dec/2018:11:31:57 +0000] "GET / HTTP/1.1" 500 79 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
2018/12/26 11:31:59 [debug] 7#7: *20 [lua] openidc.lua:1297: authenticate(): Redirect URI path (/) is currently navigated -> Processing authorization response coming from OP
2018/12/26 11:31:59 [error] 7#7: *20 [lua] openidc.lua:1301: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.23.0.1, server: private.dev.local, request: "GET / HTTP/1.1", host: "private.dev.local"
172.23.0.1 - - [26/Dec/2018:11:31:59 +0000] "GET / HTTP/1.1" 500 79 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"

I think it should be something like Redirect URI path (http://authentification.dev.local/) is currently navigated?

Looking at the code, this part extracts the path only :

lua-resty-openidc/lib/resty/openidc.lua

Line 1317 in d7bd9a2

return opts.redirect_uri and openidc_get_path(opts.redirect_uri) or opts.redirect_uri_path

so the hostname is ignored.

EDIT :

It seems like I have to define an explicit path for the callback, defining it as redirect_uri = "http://authentification.dev.local/callback" made it pass the test!

---

Hello,

Following #240 I'm trying to implement my auth solution but I'm hitting a wall. My goal is to set up authentication for a whole sub-domain (.dev.local in this case), without the need of declaring a redirect_uri for each private app.

My issue is that the authorization response is not detected by lua-resty-openidc, this condition seems never true in my case :

lua-resty-openidc/lib/resty/openidc.lua

Line 1337 in d7bd9a2

if path == openidc_get_redirect_uri_path(opts) then

The result is that I'm in a redirect loop on this url : http://authentification.dev.local/?state=a763259a95b6331f66e1f4dbc1b04909&session_state=0c62c696-4df2-4eb7-8ee2-8d13c399522c&code=fea27c51-a300-4bff-b9f6-a9048e442e29.0c62c696-4df2-4eb7-8ee2-8d13c399522c.2ae2c95f-45f1-4644-9d9d-12fb48db09ae

I followed @bodewig recommendations from #240 (comment) and produced this configuration :

-- auth.lua
local function authenticate()
  local opts = {
    discovery = "http://keycloak.dev.local/auth/realms/eurofins/.well-known/openid-configuration",
    client_id = "proxy",
    client_secret = "22ab81a3-cd26-41a8-9163-139d3189ab7a",
    redirect_uri = "http://authentification.dev.local",
    accept_unsupported_alg = false,
    token_signing_alg_values_expected = { "RS256" },
    revoke_tokens_on_logout = true
  }
  local target_url = ngx.var.scheme.."://"..ngx.var.host..ngx.var.request_uri
  local unauth_action = nil
  local session_opts = { cookie = { domain = ".dev.local" } }

  local res, err = require("resty.openidc").authenticate(opts, target_url, unauth_action, session_opts)

  if err then
    ngx.status = 500
    ngx.say(err)
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  end

  ngx.header['X-USER'] = ngx.encode_base64(require("cjson").encode(res.user))
end

return authenticate

server {
  listen 80;
  server_name keycloak.dev.local;
  location / {
    proxy_set_header Host $host;
    proxy_pass http://keycloak:8080;
  }
}

# Authentication callback
server {
  listen 80;
  server_name authentification.dev.local;
  location / {
    access_by_lua_block {
      require("auth")()
    }
  }
}

# Public
server {
  listen 80;
  server_name public.dev.local;
  location / {
    add_header Content-Type text/plain;
    return 200 "Welcome, it\'s public here!";
  }
}

# Private
server {
  listen 80;
  server_name private.dev.local;
  location / {
    access_by_lua_block {
      require("auth")()
      ngx.header['Content-Type'] = 'text/plain'
      ngx.say("It\'s a private party!")
    }
  }
}

Environment

• lua-resty-openidc : 1.7.0
• OpenID Connect provider : Keycloak

Logs

The logs are a repeating sequence of this :

127.0.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /auth/realms/eurofins/.well-known/openid-configuration HTTP/1.1" 200 2345 "-" "lua-resty-http/0.12 (Lua) ngx_lua/10013"
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:526: openidc_discover(): response data: {"issuer":"http://keycloak.dev.local/auth/realms/eurofins","authorization_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth","token_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token","token_introspection_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/userinfo","end_session_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/logout","jwks_uri":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/certs","check_session_iframe":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512"],"userinfo_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512","none"],"request_object_signing_alg_values_supported":["ES384","RS384","ES256","RS256","ES512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token/introspect"}
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:585: openidc_get_token_auth_method(): 1 => private_key_jwt
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:585: openidc_get_token_auth_method(): 2 => client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:588: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:602: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:1365: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
172.23.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /?state=c6e55874a7e392ace7d5316ae0399c51&session_state=0c62c696-4df2-4eb7-8ee2-8d13c399522c&code=fe132608-6f99-493c-9693-31878e579756.0c62c696-4df2-4eb7-8ee2-8d13c399522c.2ae2c95f-45f1-4644-9d9d-12fb48db09ae HTTP/1.1" 302 167 "http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=ae882f8c2df85a8ae0f28e7414c1f53b&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=f2f4eeb68bad2b8e2517ddced7cfc37e&scope=openid%20email%20profile" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.23.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=cdc862e955a93c0b8a47da503cc08e1b&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=142231528af003954e31456e9bc344e2&scope=openid%20email%20profile HTTP/1.1" 302 0 "http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=ae882f8c2df85a8ae0f28e7414c1f53b&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=f2f4eeb68bad2b8e2517ddced7cfc37e&scope=openid%20email%20profile" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:1337: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:508: openidc_discover(): openidc_discover: URL is: http://keycloak.dev.local/auth/realms/eurofins/.well-known/openid-configuration
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:514: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:385: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] http.lua:633: send_request(): 
GET /auth/realms/eurofins/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: keycloak.dev.local


127.0.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /auth/realms/eurofins/.well-known/openid-configuration HTTP/1.1" 200 2345 "-" "lua-resty-http/0.12 (Lua) ngx_lua/10013"
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:526: openidc_discover(): response data: {"issuer":"http://keycloak.dev.local/auth/realms/eurofins","authorization_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth","token_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token","token_introspection_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/userinfo","end_session_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/logout","jwks_uri":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/certs","check_session_iframe":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512"],"userinfo_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512","none"],"request_object_signing_alg_values_supported":["ES384","RS384","ES256","RS256","ES512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/token/introspect"}
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:585: openidc_get_token_auth_method(): 1 => private_key_jwt
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:585: openidc_get_token_auth_method(): 2 => client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:588: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:602: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_basic
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:1365: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
172.23.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /?state=cdc862e955a93c0b8a47da503cc08e1b&session_state=0c62c696-4df2-4eb7-8ee2-8d13c399522c&code=adea9c18-103c-46c0-8518-854a67975f65.0c62c696-4df2-4eb7-8ee2-8d13c399522c.2ae2c95f-45f1-4644-9d9d-12fb48db09ae HTTP/1.1" 302 167 "http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=ae882f8c2df85a8ae0f28e7414c1f53b&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=f2f4eeb68bad2b8e2517ddced7cfc37e&scope=openid%20email%20profile" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.23.0.1 - - [26/Dec/2018:10:37:41 +0000] "GET /auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=18c9b6cbd358ab3013952bf36773fd3c&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=c107bbdbcbfe4cd020257ed2131f363e&scope=openid%20email%20profile HTTP/1.1" 302 0 "http://keycloak.dev.local/auth/realms/eurofins/protocol/openid-connect/auth?response_type=code&client_id=proxy&state=ae882f8c2df85a8ae0f28e7414c1f53b&redirect_uri=http%3A%2F%2Fauthentification.dev.local&nonce=f2f4eeb68bad2b8e2517ddced7cfc37e&scope=openid%20email%20profile" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:1337: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:508: openidc_discover(): openidc_discover: URL is: http://keycloak.dev.local/auth/realms/eurofins/.well-known/openid-configuration
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:514: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] openidc.lua:385: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2018/12/26 10:37:41 [debug] 6#6: *39 [lua] http.lua:633: send_request(): 
GET /auth/realms/eurofins/.well-known/openid-configuration HTTP/1.1
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10013
Host: keycloak.dev.local

[bodewig]

After the edits I'm not quite sure what is and what is not working right now :-)

The Redirect URI path (" .. path .. ") is currently navigated explicitly uses a path after the hostname part has been stripped. In your setup you probably should avoid using a redirect_uri with a path that is a legitimate path for your application (as / likely would be), so using /callback sound like a good idea.

openidc_get_path and thus openidc_get_redirect_uri_path strip the hostname even if it doesn't match the current hostname as visible to nginx. This happens for setups where nginx doesn't know enough about the public facing URI space to properly reconstruct the URI used by the client from information available to the server. This may happen if there is another reverse proxy sitting in front of the nginx running your authentication proxy code which rewrites URIs by a more complex logic.

[jgoux]

Thank you @bodewig , so I need to "reserve" the same /callback route for all my protected services in order to be able to use http://authentication.dev.local/callback as the single valid redirect_uri from keycloak point of view.

Consider this issue solved! 👍