"request to the redirect_uri path but there's no session state found" since 1.7.6-1

[MaxWinterstein]

Since 2 days - after the release of 1.7.6 my login flow is broken.

Reverting to 1.7.5 fixed the issue.

Environment

• lua-resty-openidc version 1.7.6-1
• OpenID Connect provider keycloak

Expected behaviour

The login should work fine, just as it did with 1.7.5-1

Actual behaviour

403 - request to the redirect_uri path but there's no session state found

Config files

We run this within a docker container:

FROM openresty/openresty:alpine-fat

RUN mkdir /var/log/nginx
RUN apk add --no-cache openssl-dev
RUN apk add --no-cache git
RUN apk add --no-cache gcc
RUN luarocks install lua-resty-openidc

# https://github.com/ledgetech/lua-resty-http/issues/42
RUN cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.pem

ADD nginx.conf /nginx.conf

ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]

And this nginx config

env CLIENT_ID;
env DISCOVERY;
env IDP_HINT;
env REQ_AUDIENCE;
env LOGOUT_URI;
env REDIRECT_URI;
env TRY_FILE;

events {
    worker_connections 1024;
}

include /usr/share/nginx/modules/*.conf;

http {

    lua_package_path '~/lua/?.lua;;';

    resolver 8.8.8.8;

    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    lua_ssl_verify_depth 5;

    # cache for JWT verification results
    lua_shared_dict introspection 10m;
    lua_shared_dict sessions 10m;

    server {

        listen  81 default_server;
        large_client_header_buffers 4 16k;

        # disbled caching so the browser won't cache the site.
        expires           0;
        add_header        Cache-Control private;


        # proxy locations
        location / {

            access_by_lua_block {

                -- imports
                local cjson = require "cjson"
                local jwt = require "resty.jwt"

                --- helper functions
                -- has_value -- thx https://stackoverflow.com/a/33511182
                local function has_value (tab, val)
                    for index, value in ipairs(tab) do
                        if value == val then
                            return true
                        end
                    end
                    return false
                end


                local opts = {
                    authorization_params = { kc_idp_hint=os.getenv("IDP_HINT") },
                    redirect_uri_path = os.getenv("REDIRECT_URI"),
                    discovery = os.getenv("DISCOVERY"),
                    client_id = os.getenv("CLIENT_ID"),
                    scope = "openid email profile roles",
                    redirect_uri_scheme = "https",
                    logout_path = "/logout",
                    redirect_after_logout_uri = os.getenv("LOGOUT_URI"),
                    redirect_after_logout_with_id_token_hint = false,
                    --session_contents = { user=true, id_token=true, token=true }
                }

                -- call introspect for OAuth 2.0 Bearer Access Token validation
                local res, err = require("resty.openidc").authenticate(opts)

                if err then
                    ngx.status = 403
                    ngx.say(err)
                    ngx.exit(ngx.HTTP_FORBIDDEN)
                end

                local jwt_obj = jwt:load_jwt(res.access_token)


                -- uncomment for debugging
                --local debug = {}
                --debug['jwt_obj'] = jwt_obj
                --debug['res'] = res
                --ngx.say(cjson.encode(debug))
                --ngx.exit(ngx.HTTP_OK)


                -- check that the required audience is part of the jwt -- thx https://github.com/zmartzone/lua-resty-openidc/issues/222
                req_aud = os.getenv("REQ_AUDIENCE")
                if has_value(jwt_obj.payload.aud, req_aud) then
                    ngx.log(ngx.STDERR, "Yep, you are good to go.")
                else
                    ngx.log(ngx.STDERR, "Nope, access denied for you! No member of " .. req_aud)
                    ngx.log(ngx.STDERR, cjson.encode(res.id_token))
                    ngx.status = 403
                    ngx.say('Access Denied')
                    ngx.exit(ngx.HTTP_FORBIDDEN)
                end
            }


            set $session_cipher none;                 # don't need to encrypt the session content, it's an opaque identifier
            set $session_storage shm;                 # use shared memory
            set $session_cookie_persistent on;        # persist cookie between browser sessions
            set $session_cookie_renew      3600;      # new cookie every hour
            set $session_cookie_lifetime   86400;     # lifetime for persistent cookies
            set $session_name              sess_auth; # name of the cookie to store the session identifier in

            set $session_shm_store         sessions;  # name of the dict to store sessions in
            # See https://github.com/bungle/lua-resty-session#shared-dictionary-storage-adapter for the following options
            set $session_shm_uselocking    off;
            set $session_shm_lock_exptime  3;
            set $session_shm_lock_timeout  2;
            set $session_shm_lock_step     0.001;
            set $session_shm_lock_max_step 0.5;
            set $session_shm_lock_ratio    1;



            # try_files $uri $uri/ /manual/index.html;
            set_by_lua $try_file 'return os.getenv("TRY_FILE")';
            try_files $uri $uri/ $try_file;
            include /usr/local/openresty/nginx/conf/mime.types;
        }

         location = /manual/shield {

        }
    }
}

Environment variables reduced:

    Environment:
      CLIENT_ID:     myClientID
      DISCOVERY:     https://mykeycloak.tld/auth/realms/myrealm/.well-known/openid-configuration
      IDP_HINT:      oidc
      REQ_AUDIENCE:  myAudience
      LOGOUT_URI:   google.de
      REDIRECT_URI:  /manual/callback
      TRY_FILE:      /manual/index.html

[maxissmax]

Faced the same issue, all works fine on 4 months old installation, but not on a new one

[bodewig]

I don't see which change may have triggered this immediately. Is lua-resty-openidc the only things that cahnges or are you upgrading anything else like lua-resty-openidc at the same time?

Any chance we can see a bigger piece of the log leading up to the error?

[zandbelt]

my guess is the new release 4.0 of lua-resty-session that is a complete rewrite; perhaps we should lock the version down to max 3.x in the rockspec

[bodewig]

going back to 1.7.5 should not fix anything, then, as that would pull in 4.0 by now as well. Have we ever tested whether lua-resty-session 3.x works for us?

[zandbelt]

https://luarocks.org/modules/bungle/lua-resty-session says 3.x was pulled in until recently

[zandbelt]

I just re-ran the Github build action, and it is broken now where it finished succesfully a few days ago: https://github.com/zmartzone/lua-resty-openidc/actions/runs/4047591758/jobs/7025107167 so that concludes it

[maxissmax]

my guess is the new release 4.0 of lua-resty-session that is a complete rewrite; perhaps we should lock the version down to max 3.x in the rockspec

Yes, downgraded lua-resty-session to 3.10-1 and all works again
Thank you for your help! :)

[MaxWinterstein]

Sorry, this issue source seems to be wrong. After a while, I am also sure it is based on lua-resty-sessions and the new v4.x.

I tested with some daily build images and did not realize the dependencies at first.

Here I documented something: bungle/lua-resty-session#124
tl;dr; just like @maxissmax , downgrade of lua-resty-sessions1 did the trick.

+1 to pin lua-resty-sessions to <4 until it is clear where it exactly came from, and how it can be resolved.

[bodewig]

I believe this project is the correct place to report it. After all 4.0 is explicitly not backwards compatible - https://github.com/bungle/lua-resty-session/blob/master/Changes.md . I must admit that I'm not really familiar with luarocks version matching myself and naively assumed it wouldn't include major version updates by default, obviously I was wrong.

[zandbelt]

luarocks now has version 1.7.6-2 that pins down the lua-resty-session dependency to something < 4.0

[sebix]

Unfortunately, the release of 1.7.6-2 does not fix it for us, as the beta version of lua-resty-session is still installed automatically:

luarocks install lua-resty-openidc 1.7.6-2
...
lua-resty-openidc 1.7.6-2 depends on lua-resty-session > 2.8, < 4.0.0 (not installed)
Installing https://luarocks.org/lua-resty-session-4.0.0.beta.3-1.src.rock
...

Is it possible to pin lua-resty-session < 4.0.0.beta or alike?

[zandbelt]

tried to pin it to <= 3.10 now in 1.7.6-3

[sebix]

Thanks, I confirm that this version works fine!

[Dark3clipse]

Im still having login issues with this 403 when using 1.7.6-3 with lua sessions 3.10. It used to work fine before my upgrade. Anything else that could be an issue?