Error on authentication callback

[GNUGradyn]

Environment

• lua-resty-openidc version (e.g. 1.7.5)
  1.7.5
• OpenID Connect provider (e.g. Keycloak, Azure AD)
  Microsoft Identity Server

Expected behaviour

Redirect URI should be handled

Actual behaviour

An internal server error occurs

Minimized example

Minimal, complete configuration that reproduces the behavior.
vhost:

server {
      location / {

      access_by_lua_block {
          local opts = {
             redirect_uri = "https://service.example.com/signin-oidc",
             discovery = "https://login.example.com/.well-known/openid-configuration",
             client_id = "EXAMPLE",
             client_secret = "EXAMPLE",
             ssl_verify = "no",
             scope = "openid example",
          }
          local res, err = require("resty.openidc").authenticate(opts)
          if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
          end
          ngx.req.set_header("X-USER", res.id_token.sub)
      }
      root /var/www/html;
  }
}

Configuration and NGINX server log files

nginx.conf from openresty

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}
gradyn@gradyn-linux-stuff:/var/www/html$ ^C
gradyn@gradyn-linux-stuff:/var/www/html$ cat /etc/openresty/nginx.conf

#user  nobody;
worker_processes  1;

error_log  /etc/openresty/logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    resolver example;
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    include /etc/openresty/sites-enabled/*;

    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

error from nginx log

2022/01/05  01:30:01 [error] 6352#6352: *1 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/evp.lua:216: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: EVP_MD_CTX_create

stack traceback:

coroutine 0:

[C]: in function '__index'

/usr/local/openresty/site/lualib/resty/evp.lua:216: in function 'verify'

/usr/local/openresty/site/lualib/resty/jwt.lua:812: in function 'verify_jwt_obj'

/usr/local/openresty/lualib/resty/openidc.lua:1019: in function 'openidc_load_jwt_and_verify_crypto'

/usr/local/openresty/lualib/resty/openidc.lua:1044: in function 'openidc_load_and_validate_jwt_id_token'

/usr/local/openresty/lualib/resty/openidc.lua:1136: in function 'authenticate'

access_by_lua(test:20):10: in main chunk, client: 10.2.10.101, server: , request: "GET /signin-oidc?code=example&scope=example&state=example&session_state=example HTTP/1.1", host: "service.example.com"

[bodewig]

It looks as lua-resty-jwt or one of its dependencies haven't been installed properly or the version you installed doesn't match the version of OpenSSL installed or something like this. This looks a lot like #162 so maybe you need to install a different version of lua-resty-jwt.

[GNUGradyn]

I'm installing SkyLothar/lua-resty-jwt from opm, what should I be using?

[bodewig]

At luarocks the SkyLothar version has been superseeded by https://github.com/cdbattags/lua-resty-jwt - note I'm not an expert in any of the lua package managers. Over at the github page the opm path has a strike-through, even though I see an older version at https://opm.openresty.org/search?q=lua-resty-jwt . This is as puzzling to me as to you as I see a 0.2.3 version of https://github.com/toopy/lua-resty-jwt which is a fork of cdbattags' repo but hasn't been updated for two years while the cdbattags repo has commits of a year ago.

What I'm trying to say is that I haven't got any idea what to do when using opm but the fork you need is available via luarocks or for installing it manually.