OpenIDConnect Plugin With Nginx In Front

[grassbl8d]

Hello,

I tried installing apisix with openidconnect plugin using keycloak.

Basically, if I use the port 9080, everything is working fine and as it should

However, when I try to put APISIX at the back of an NGINX proxy which provides SSL Configuration, then I get the following error :

[lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found,

It seems that everything works for http but when I use https, session state is not found.

Basically, here's my configuration,

`
server { # This new server will watch for traffic on 443
listen 443 ssl;
server_name apisix.test.ph;
ssl_certificate /etc/nginx/my-site.com.crt;
ssl_certificate_key /etc/nginx/my-site.com.key;
root /usr/share/nginx/html;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

        location / {
              proxy_set_header  Host $host;
              proxy_set_header  X-Real-IP $remote_addr;
              proxy_set_header  X-Forwarded-Proto https;
              proxy_set_header  X-Forwarded-Host $host;
              proxy_pass        http://172.17.0.1:9080;
         }
 }

}
`

It works properly if I use it directly via port 9080

Here's my configuration

{
"uri": "/*",
"name": "test2-nobearer",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"vars": [
[
"http_Authorization",
"!",
"~~",
".Bearer."
]
],
"plugins": {
"openid-connect": {
"bearer_only": false,
"client_id": "tester",
"client_secret": "",
"disable": false,
"discovery": "https://auth.test.ph/realms/test-realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"realm": "test-realm",
"redirect_uri": "https://apisix.test.ph/",
"ssl_verify": false
},
"proxy-rewrite": {
"scheme": "https"
}
},
"upstream": {
"nodes": [
{
"host": "0.tcp.ap.ngrok.io",
"port": 10888,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}

[tzssangglass]

see: #3200

[tzssangglass]

Update: from experience, there should be a problem with the redirect_uri parameter. redirect_uri is assumed to be http://127.0.0.1:9080/api/v1/callback, and the purpose of this parameter is to expect the identity provider to request APISIX via redirect_uri and enter the OIDC logic to complete the authentication.

[tzssangglass]

You can also look here, I think it has to do with the openidc process: zmartzone/lua-resty-openidc#338

[juzhiyuan]

Just for reference, there has one similar case in Slack: https://the-asf.slack.com/archives/CUC5MN17A/p1656333755853119

[grassbl8d]

Problem also occurs with aws load balancer. It doesn't happen on an haproxy front end.

[juzhiyuan]

I'm not sure what happened here 🤔

Hi @tzssangglass, do you have any hints?

[tzssangglass]

I did not get valid information

[juzhiyuan]

OIDC doesn't work on the Nginx/AWS LB -> APISIX model.

Complete context: https://the-asf.slack.com/archives/CUC5MN17A/p1656333755853119

[tokers]

Is it due to the session cannot be shared between HTTPS and HTTP? I remember @bzp2010 has ever met such a similar case?

[grassbl8d]

hello,

Problem was sorted out in Slack.

The workaround is to add this to your config.yaml

nginx_config:
http_server_location_configuration_snippet: |
set $session_secret '12345678901234567890123456789012';

Now it works properly.

Thanks to all that helped!