Question about redirect_url_path

[j1n6]

Hi,

I have a bit difficulty to get a test configuration working with Openid Connect. Everything works fine until the auth provider redirecting pages back to the Nginx /redirect_uri. The browser in /redirect_uri page with all the scope, state, code parameters returns ERR_INVALID_RESPONSE.

I must have been missing something in the configuration. Do I need to add any special Nginx/Lua configuration the /redirect_uri URL or do I need to configure a Nginx location?

Thanks in advance!

[zandbelt]

I'm afraid I don't understand what the current experience exactly is. Can you paste your config and a browser trace, or perhaps just the URL that you end up with in the browser?

[j1n6]

Thanks for the quick reply. here's my nginx server setting:

file: /etc/nginx/sites-enabled/default

lua_package_path '/usr/local/openresty/lualib/resty/?.lua;;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
lua_shared_dict discovery 1m;
resolver 8.8.8.8;
server {
    listen              443 ssl;
    server_name         sso.com;
    ssl_certificate     /vagrant_data/server.crt;
    ssl_certificate_key /vagrant_data/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    ssl_session_cache shared:SSL:100m;
    ssl_session_timeout 60m;
    root /usr/share/nginx/html;
    index index.html index.htm;
    add_header Strict-Transport-Security "max-age=31536000";
    access_by_lua_file '/usr/local/openresty/lualib/resty/access.lua';

    location / {
      try_files $uri $uri/ =404;
                # include /etc/nginx/naxsi.rules
    }
}

file: /usr/local/openresty/lualib/resty/access.lua

local opts = {
  redirect_uri_path = "/redirect_uri",
  discovery = "https://login-dev.testlogin.com/.well-known/openid-configuration",
  client_id = "@!8505.6880.6530.61CE!0001!0FB2.DC55!0008!2F3C.3B92",
  client_secret = "test",
  scope = "email profile user_name"
}
if err then
  ngx.status = 500
  ngx.say(err)
  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-USER", res.id_token.sub)

After logging into auth provider, redirected back to the redirect_uri_path, the browser shows:

There's no error in the Nginx log when user gets redirected to the redirect_uri_path. When I refresh on the same page with all the states,scope parameters, the nginx error log has the following output:

2016/03/22 11:29:36 [error] 3002#0: *2 [lua] openidc.lua:262: authenticate(): state from argument: e59539d612b581a6387e0402ffd07485 does not match state restored from session: nil, client: 10.0.2.2, server: sso.com, request: "GET /authorize?session_state=0bedec74-1f60-42ba-832c-2e6281e76789&scope=user_name+email+profile&state=e59539d612b581a6387e0402ffd07485&code=9ecc9929-7720-4bc5-905c-0b561ca33408 HTTP/1.1", host: "sso.com:3001"

[zandbelt]

Looks like the redirect URI that was registered with the OpenID Connect server does not match the settings of your NGINX client: it seems you will access your server on "https://sso.com" and thus you need to make sure that the redirect URI is "https://sso.com/redirect_uri". Double-check port, http/https and exact server name.

[j1n6]

I'm running the nginx inside vagrant, using port 3001 locally forwarding to the vagrant server. i.e.
(local) https://sso.com:3001 -> https://vagrant_hosted_nginx:443

Does the port matter and would it prevent Nginx register the redirect uri?

[zandbelt]

The port should not matter but just in case. Can you paste a browser trace? It would be interesting to see the initial URL that is being accessed and the actual redirect with the authentication request (and the redirect URL in there).

[zandbelt]

any update on this one or was the problem solved?