openresty-oid c: Бесконечный l oop после входа в систему

Question

В настоящее время у меня проблемы со сценарием аутентификации, который должен в основном реализовывать OID C на уровне обратного прокси-сервера, чтобы остановить доступ к веб-серверу приложения. Этот поток аутентификации OID C реализован в lua с расширением openresty для nginx.

На самом деле происходит то, что я получаю ERR_TOO_MANY_REDIRECTS или You are already logged in. (от Keycloak) и мой браузер сам по себе пересылается несколько раз.

Я много читал об этом, и рекомендуемым действием была опция large_client_header_buffers, которая уже была установлена. Keycloak, похоже, использует много заголовков Set-Cookie (и больших), что не является проблемой для других приложений. Вторым рекомендуемым действием было перейти к хранилищу сеансов на стороне сервера, что было достигнуто с помощью параметра set $session_storage memcache; в proxy.conf. Интересен тот факт, что местный повар ie все еще работает.

журнал контейнера docker_oidc_proxy:

2020/07/11 11:39:10 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET / HTTP/1.1", host: "client.example.com"
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:10 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:10 +0000] "GET / HTTP/1.1" 302 151 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"

### Not logged in -> redirect


2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=c511e24f
3991ddec1981b96094fe8b59&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=2f2700b3-ef1d-48da-88ae-fdca7d127b6a.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/
auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=c511e24f3991ddec1981b96094fe8b59&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=2f2700b3-ef1d-48da-88ae-fdca7d127b6a.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"
2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=52a09d19
579bfbefb3153051fcefce63&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=118e9b13-3ee4-4100-b142-601f926ccfde.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/
auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=52a09d19579bfbefb3153051fcefce63&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=118e9b13-3ee4-4100-b142-601f926ccfde.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"
2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=0c7afe284a1ebcd4e76678f177cedf7a&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=294b0b7c-5dc7-4aa6-9a2c-5910e0d65b90.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=0c7afe284a1ebcd4e76678f177cedf7a&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=294b0b7c-5dc7-4aa6-9a2c-5910e0d65b90.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"
2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=c16bf251d5a5e84f826e0f628ccfe797&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=f57ec2e4-3f71-4661-a456-88aa83a91a28.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=c16bf251d5a5e84f826e0f628ccfe797&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=f57ec2e4-3f71-4661-a456-88aa83a91a28.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"
2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=138ab05b5427ef62a617bcc27ca7388c&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=2cf495da-5790-4c8d-9161-f4e6d02fa0ce.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=138ab05b5427ef62a617bcc27ca7388c&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=2cf495da-5790-4c8d-9161-f4e6d02fa0ce.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36"
2020/07/11 11:39:41 [warn] 14#14: *8 [lua] openidc.lua:1356: authenticate(): using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead, client: 192.168.128.2, server: _, request: "GET /web/index.html?state=66b535f8d319b7650ea447a5a403ab4c&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=23cdd59c-48ea-4d34-a27f-58ffc4c0187a.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1", host: "client.example.com", referrer: "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid"
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1414: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=true, try_to_renew=true, token_expired=false
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:565: openidc_discover(): openidc_discover: URL is: https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=https://sso.example.com/auth/realms/example-realm/.well-known/openid-configuration
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 1 => private_key_jwt
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 2 => client_secret_basic
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:632: openidc_get_token_auth_method(): 3 => client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:634: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:662: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2020/07/11 11:39:41 [debug] 14#14: *8 [lua] openidc.lua:1449: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
192.168.128.2 - - [11/Jul/2020:11:39:41 +0000] "GET /web/index.html?state=66b535f8d319b7650ea447a5a403ab4c&session_state=03c69044-4b89-44b4-a142-c7ccb74c6174&code=23cdd59c-48ea-4d34-a27f-58ffc4c0187a.03c69044-4b89-44b4-a142-c7ccb74c6174.c7c650ac-2c87-48da-a953-1390441e69ab HTTP/1.1" 302 151 "https://sso.example.com/auth/realms/example-realm/protocol/openid-connect/auth?response_type=code&client_id=example-client&state=c511e24f3991ddec1981b96094fe8b59&redirect_uri=https%3A%2F%2Fclient.example.com%2Fweb%2Findex.html%23!%2Fhome.html&nonce=3179d5373fc16135be19ac9f6c78d766&scope=openid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.109 Safari/537.36

авт. lua

local opts = {
    redirect_uri_path = os.getenv("OID_REDIRECT_PATH") or "/redirect_uri",
    discovery = os.getenv("OID_DISCOVERY"),
    client_id = os.getenv("OID_CLIENT_ID"),
    client_secret = os.getenv("OID_CLIENT_SECRET"),
    token_endpoint_auth_method = os.getenv("OIDC_AUTH_METHOD") or "client_secret_basic",
    renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false",
    scope = os.getenv("OIDC_AUTH_SCOPE") or "openid",
    iat_slack = 600,
}

--local session_opts = { cookie = { domain = ".example.com" } }
-- call authenticate for OpenID Connect user authentication
local res, err, _target, session = require("resty.openidc").authenticate(opts, nil)--, "pass")--, session_opts)

ngx.log(ngx.INFO, tostring(res))
ngx.log(ngx.INFO, tostring(err))



if session ~= nil then
  ngx.log(ngx.INFO,
    "session.present=", session.present,
    ", session.data.id_token=", session.data.id_token ~= nil,
    ", session.data.authenticated=", session.data.authenticated,
    ", opts.force_reauthorize=", opts.force_reauthorize,
    ", opts.renew_access_token_on_expiry=", opts.renew_access_token_on_expiry,
    ", try_to_renew=", try_to_renew,
    ", token_expired=", token_expired
  )
end

if err then
    ngx.status = 500
    ngx.header.content_type = 'text/html';

    ngx.say("There was an error while logging in: " .. err)
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end

ngx.log(ngx.INFO, "Authentication successful, setting Auth header...")

if session.data.enc_id_token ~= nil then
  ngx.req.set_header("Authorization", "Bearer "..session.data.enc_id_token)
end

bearer_validation. lua

local opts = {
    discovery = os.getenv("OID_DISCOVERY"),
}

-- call bearer_jwt_verify to validate bearer token from openid connect
local res, err = require("resty.openidc").bearer_jwt_verify(opts)

ngx.log(ngx.INFO, tostring(res))
ngx.log(ngx.INFO, tostring(err))


if err then
    ngx.status = 401
    ngx.header.content_type = 'text/html';

    ngx.say("There was an error while logging in: " .. err)
    ngx.exit(ngx.HTTP_UNAUTHORIZED)
end

ngx.log(ngx.INFO, "Authentication successful, setting Auth header...")

nginx .conf

#user  nobody;
worker_processes  1;

#error_log  /dev/stdout     notice;
#error_log  /dev/stdout     info;
error_log  /dev/stdout     debug;

#pid        logs/nginx.pid;

env OID_SESSION_SECRET;
env OID_SESSION_CHECK_SSI;
env OID_SESSION_NAME;
env OID_DISCOVERY;
env OID_CLIENT_ID;
env OID_CLIENT_SECRET;
env OID_REDIRECT_PATH;
env OIDC_AUTH_SCOPE;
env OIDC_AUTH_METHOD;
env OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY;
env PROXY_HOST;
env PROXY_PORT;
env PROXY_PROTOCOL;
env ADD_HOST_HEADER;

events {
    worker_connections  1024;
}

http {
    #lua_code_cache off;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    include sites/*;

    lua_shared_dict discovery 10m;

    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    lua_ssl_verify_depth 5;

    resolver 127.0.0.11;
}

proxy.conf

server {
    listen 80;
    server_name _;

    large_client_header_buffers 8 64k;
    client_header_buffer_size 64k;

    set $session_storage memcache;

    set_by_lua $session_secret 'return os.getenv("OID_SESSION_SECRET")';
    set_by_lua $session_check_ssi 'return os.getenv("OID_SESSION_CHECK_SSI")';
    set_by_lua $session_name 'return os.getenv("OID_SESSION_NAME")';
    set_by_lua $proxy_host 'return os.getenv("PROXY_HOST")';
    set_by_lua $proxy_port 'return os.getenv("PROXY_PORT")';
    set_by_lua $proxy_protocol 'return os.getenv("PROXY_PROTOCOL")';
    set_by_lua $add_host_header 'return os.getenv("ADD_HOST_HEADER")';

    #error_log /dev/stdout notice;
    error_log /dev/stdout debug;

    location /favicon.ico {
      return 404;
    }

    location /healthz {
      return 201;
    }

    location / {
      if ($request_method = 'OPTIONS') {

        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' '*';
        add_header 'Access-Control-Allow-Headers' '*' always;

        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
        }

      if ($http_authorization) {
        access_by_lua_file lua/bearer_validation.lua;
      }

      access_by_lua_file lua/auth.lua;

      set $reverse_proxy_host $proxy_host;

      if ($add_host_header = "true") {
        set $reverse_proxy_host $http_host;
      }

      proxy_set_header Host $reverse_proxy_host;
      proxy_pass $proxy_protocol://$proxy_host:$proxy_port;

      # Add Cors headers
      add_header    'Access-Control-Allow-Origin' '*' always;
      add_header    'Access-Control-Allow-Headers' '*' always;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}
```