Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR: attempt to index global 'openidc' (a nil value) #481

Open
agudzunas opened this issue May 25, 2023 · 5 comments
Open

ERROR: attempt to index global 'openidc' (a nil value) #481

agudzunas opened this issue May 25, 2023 · 5 comments

Comments

@agudzunas
Copy link

agudzunas commented May 25, 2023

Hi, I am trying to make openresty authenticate with keycloak (v 21.1.1), but it is not working.

The errors I get:
authenticate(): request to the redirect_uri path but there's no session state found, client: xx.xx.xx.xx , server: lua-test.test.net, request: "GET /welcome?state=b17bd94747052c6223b484d7807f0215&session_state=e54c72ec-98ac-4dcc-b7fd-23872dffa66e&code=ef2f05ae-3147-4867-8e53-0e4ca67315a9.e54c72ec-98ac-4dcc-b7fd-23872dffa66e.b7a9c2ff-d8a2-4303-a4eb-8a96c34109e5 HTTP/1.1", host: "lua-test.test.net"

[error] 190628#190628: *4 lua entry thread aborted: runtime error: /etc/openresty/lua/main.lua:12: attempt to index global 'openidc' (a nil value)

Environment
- Ubuntu 22.04.2
- openresty/1.21.4.1
- lua-resty-openidc version (1.7.6)
- OpenID Connect provider (Keycloak 21.1.1)

Openresty Config

    # LUA SETTINGS #

    resolver local=on ipv6=off;
    resolver_timeout 5s;

    lua_package_path '/usr/local/share/lua/5.1/resty/?.lua;;';
    lua_shared_dict discovery 1m;
    lua_shared_dict jwks 1m;

main.lua. script

local opts = {
    ssl_verify = "no",
    redirect_uri = "http://lua-test.test.net/welcome",
    accept_none_alg = true,
    discovery = "https://sso.test.net/auth/realms/test/.well-known/openid-configuration",
    client_id = "test",
    client_secret = "clientsecret",
    session_contents = {id_token=true},
}

local res, err, target, session = require("resty.openidc").authenticate(opts)
openidc.set_logging(nil, { DEBUG = ngx.NOTICE })
session:close()
if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
Expected behaviour
  1. Access web page in a browser
  2. Redirected to keycloak page for authentication
  3. Redirect back to page
Actual behaviour
  1. Access web page in a browser
  2. Redirected to keycloak page for authentication
  3. After authentication not redirecting back to page. Error 500 appears. Errors in log (mentioned before)

Any idea what is wrong or where to look at?
My suspicion that some lua packages not working, but I checked all dependencies few times - everything looks fine.
Any suggestions how to debug it further?

Thanks.

@bodewig
Copy link
Collaborator

bodewig commented May 25, 2023

the error you see is in your code, you never assign any value to the variable openidc you use. You want to do something like

local openidc = require("resty.openidc")
local res, err, target, session = openidc.authenticate(opts)
openidc.set_logging(nil, { DEBUG = ngx.NOTICE })
...

the other error indicates your redirect_uri is invoked without session cookie. You may need to explicitly set the cookie's SameSite behavior as your browser may reject to send it if the setting doesn't match the circumstances. See https://github.com/bungle/lua-resty-session/tree/v3.10#string-sessioncookiesamesite

@agudzunas
Copy link
Author

Thank you for you answer, it helped solve a problem with 'openidc' (a nil value).

Unfortunately problem with request to the redirect_uri path but there's no session state found still there.
I've tried all possible variations of setting cookies for SameSite, result is always the same.
Is there an exemple setup, or documentation how to properly setup this? Link to lua-session didn't help much, because I am not sure how to use lua-session in my scenario.

Ended up with this setup:

server {
       listen 80;
       listen [::]:80;
        resolver local=on ipv6=off;
        resolver_timeout 5s;

       server_name lua-test.test.com;
       set $session_name nginx_session;
       root /var/www;
       index index.html;


  set $session_storage cookie;
  set $session_cookie_persistent on;
  set $session_cookie_secure on;
  set $session_cookie_httponly on;
  set $session_cookie_samesite Lax;

  server_tokens off;
  
location / {

client_body_buffer_size 128k;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;

proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;


            access_by_lua_file /etc/openresty/lua/main.lua;
            proxy_pass http://localhost:8000;
}

Anything I need to change here?

Thank you.

@bodewig
Copy link
Collaborator

bodewig commented May 26, 2023

set $session_cookie_samesite Lax;

should be fine. You may want to check in the developer tools of your browser the session cookie is set correctly before you are sent over to your OpenID Connect provider and whether your client sends it back once it follows the redirect back.
At least the second part doesn't seem to happen.

When you say

redirect_uri = "http://lua-test.test.net/welcome"

is http://lua-test.test.net the protocol and hostname you use before you are being redirected to the OIDC provider? If not then the Cookie is not set for your target and redirect_uri_path = '/welcome' might be better. BTW, the redirect_uri is something that is internal to the OIDC protocol and not a URI you would provide yourself, quite the opposite. This is a URI handled by lua-resty-openidc internally.

Oh, I just see set $session_cookie_secure on; This means the session cookie will have its Secure flag set, which again tells the browser to only transfer it over https (not plain http) and by itself would explain why the browser does not send the cookie to your configured redirect_uri.

As far as examples go, the README of this project contains a working example for an OpenID Connect flow.

@agudzunas
Copy link
Author

Hi, thank you for reply, still no luck.

As i mentioned, I tried pretty much every combination of config I could think of. set $session_cookie_secure on or off - nothing changes. Same for redirect_uri or redirect_uri_path. Still not sure what you by URI that I provide myself. /welcome is just random non-existing URI ( From all reading I understood that it should not be an actual page, correct?) Or is it needs to be some specific address?

Checked cookies with development tools - I see that cookie is set and it is there. Keycloak authenticates successfully, I can see a session in keycloak. It just after redirect nothing works.

I have suspicion that something wrong in a deeper level: dependencies, package versions? Did someone already launched it successfully on ubuntu 22? I tried the most basic setup from READ.ME - result is the same.

Any advice is much appreciated. Thank you.

@bodewig
Copy link
Collaborator

bodewig commented May 29, 2023

You are correct, redirect_uri is not a page you provide, it has to be internal to lua-resty-openidc. So it has to be inside of a location that lua-resty-openidc feels responsible for. This is the case in your config.

The error message you see really means "there is no session cookie". It could also mean "there is one but I can not read it" - which could be the case if there are two different machines in play. The cookie is encrypted and unless you specify an secret yourself, a new random one is created on each server start. I don't think this happens here.

I don't believe it has got anything to do with dependencies at all. Do you see the session cookie being sent by your browser when the redirect from Keycloak to your /welcom URI happens? This is where it has to be included. Compare hostname, port and protocol of the URI accessed both when the cookie is set and when the redirect happens. They need to be the same. Also verify SameSite is not Strict and the cookie set is not setting the Secure flag unless you are actually using HTTPs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants