Nginx OpenIDC with Keycloak 2.5 - Redirect Loop #32
Comments
|
looks like you need to configure a registered client secret that is not commented out |
|
I have the client secret, commented for testing. Here is my most recent config access_by_lua ' |
|
Thanks for the prompt response. |
|
can you look into the error log and paste it? |
|
Here is the error log. 2017/01/19 15:27:08 [error] 32603#32603: *5 [lua] openidc.lua:294: authenticate(): state from argument: 0268b134ffd9713b0e7cbe5afe92712c does not match state restored from session: 2e02415f1c05c2e4866e146bb825f267, client: 134.132.52.220, server: ec2-54-209-213-133.compute-1.amazonaws.com, request: "GET /mesos/?state=0268b134ffd9713b0e7cbe5afe92712c&code=mc4ccfDtwnXFVtTqLLMzf0NLYk6M2C9eFJKIQVDEnL0.fbcfdf63-769f-431a-9afe-7d83b8d37ce8 HTTP/1.1", host: "ec2-54-209-213-133.compute-1.amazonaws.com:81" |
|
Could it be that multiple parallel requests are going out at the same time? |
|
It goes in to infinite loop and fails. What is Redirect_URI What value we need to use? Any possibility to join a web ex call to help on the lua module? |
|
I'm trying to proxy all the DCOS admin URLS via Nginx, but allow only authenticated users to DCOS admin urls. |
|
The redirect URI is OK and correctly registered with the Provider or else you would not get to this error message; I believe multiple parallel request may be the issue here; can you provide the full log? |
|
Hello, Here is the complete log with debug mode. |
|
From the log I see openidc module extracted the user id from token, not sure why its redirecting back to keycloak again and again. 2017/01/19 17:07:02 [debug] 1212#1212: *4 [lua] openidc.lua:274: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"a1d3a221-2552-4e37-8e7e-5b44e8e376b6","name":"","preferred_username":"admin"} |
|
I believe the error may be in your config: the redirect URI is a special case that is handled by There's room for documentation improvement indeed ;-) |
|
Can I leave the Redirect_URI blank? basically if I access example: http://awsamazon.com/secured, After authentication redirect back to http://awsamazon.com/secured instead of http://awsamazon.com/redirect_uri Second question, I would like to protect everything at the root example http://awsamazon.com/ Lets protect everything under / |
|
then protect "/" with your but you can't serve real content on |
|
Still having the issue, I have secured at root level, but it keep on redirecting back and forth until browser throws error. Changed redirect uri back to redirect_uri and access the website as example: nginxoidc.conf |
|
What URL are you typing in in your browser that kickstarts all of this? |
|
This is URL I'm starting See the attached developer tool trace |
|
It would be good to see the HTTP responses and see if and how the session cookie is set. |
|
I see different different session cookie for each subsequent request. Let me see I can attach the Fiddler trace. |
|
Here is the fiddler trace.
From: Hans Zandbelt [mailto:[email protected]]
Sent: Thursday, January 19, 2017 1:47 PM
To: pingidentity/lua-resty-openidc
Cc: Ravikumar Kanniappan; Author
Subject: [EXTERNAL] Re: [pingidentity/lua-resty-openidc] Nginx OpenIDC with Keycloak 2.5 (#32)
External Sender: Use caution with links/attachments.
It would be good to see the HTTP responses and see if and how the session cookie is set.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pingidentity_lua-2Dresty-2Dopenidc_issues_32-23issuecomment-2D273878405&d=DwMCaQ&c=PskvixtEUDK7wuWU-tIg6oKuGYBRbrMXk2FZvF0UfTo&r=svYRWWWBDI2KemeHuaYEdWKd_g2HyIrKC4bOgr4zN7jXlzJHHS7TXuONZ4Y90OMu&m=uQNOUqS4IgGkUFWVMxZqxMaSB53tsPRlrq2EQKgV1vE&s=rEEYTKxHRCx2NbYpQmag21p3RvWkXoSQ8_BoiB5QRcM&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AYDmwqyDNRNuI2BCBNwzBYDeFiII1K4gks5rT72dgaJpZM4LoHo3&d=DwMCaQ&c=PskvixtEUDK7wuWU-tIg6oKuGYBRbrMXk2FZvF0UfTo&r=svYRWWWBDI2KemeHuaYEdWKd_g2HyIrKC4bOgr4zN7jXlzJHHS7TXuONZ4Y90OMu&m=uQNOUqS4IgGkUFWVMxZqxMaSB53tsPRlrq2EQKgV1vE&s=H6DbU6WJXn7HH6OLRb1qVSy9CUIMVkEBWE4JbTIY-ww&e=>.
…----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
|
|
I don't see the fiddler trace but you may be running in to an SSL issue with |
|
I added both the parameter still issue is not resolved access_by_lua ' |
|
Fiddleroidctrace.zip |
|
The attached screenshot shows every request comes with new session cookie. |
|
the crux seems to be here, after hitting the redirect URI with an authentication response that is correctly processed, the browser is redirected to the original URL with a session cookie: but then the next request is: which still uses the old cookie value rather than the one from the I believe the size of the |
|
Thanks very much!!! You are 100% correct it was Cookie size issue. Luckily IE 11 able to accept more than 4K Cookie we tested in IT it works. unfortunately Firefox and Chrome are strict on Cookie size. Bottom-line the issue is around cookie size, I'm experimenting to reduce the cookie size using memcachce. |
|
Cool; that's probably worth a warning somewhere in code or docs. You could also try and reduce the information that Keycloak produces and that needs to be stored in the session. |
zandbelt
changed the title
|
added a Wiki page with a FAQ on this topic here: https://github.com/pingidentity/lua-resty-openidc/wiki#why-does-my-browser-get-in-to-a-redirect-loop |
|
Thanks for adding the FAQ. it definitely help others. |
|
Seems like I am facing the same issue even though I have been using latest lua-resty-session.
The problem is if I am protecting the code is like
However, if I am trying to protect all locations, by moving the access_by_lua block before all locations. it will get into the infinite loop: |
Hello,
I have installed the lua-resty-openidc module in Nginx server and opensource keycloak server.
When I access any resource in Nginx it got redirect to Keycloak server for authentication. After authentication it redirect to Redirect URI and getting HTTP 500 server error. Am I missing something in the Redirect_Uri param?
http://nginxint.com:81/token?state=08621333464a7df9e995227744bc9d0a&code=grVpNleibVO_ogX5BhxEkgktuSEe83337xTrlvunkNo.458efbab-d1bf-4a98-89c0-9a958a3274b6
Returns HTTP 500 error.
Here is my opendic config.
access_by_lua '
local opts = {
-- the full redirect URI must be protected by this script and becomes:
-- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
-- unless the scheme is overridden using opts.redirect_uri_scheme or an X-Forwarded-Proto header in the incoming request
redirect_uri_path = "/token",
discovery = "http://keycloakint.com:8080/auth/realms/DCOS/.well-known/openid-configuration",
client_id = "NginxWS",
--client_secret = "<client_secret>"
--authorization_params = { hd="pingidentity.com" },
--scope = "openid email profile",
--iat_slack = 600,
--redirect_uri_scheme = "https",
--logout_path = "/logout",
--token_endpoint_auth_method = ["client_secret_basic"|"client_secret_post"],
--ssl_verify = "no"
}
The text was updated successfully, but these errors were encountered: