How to modify session parameters?

[netchild]

Hi,

I have the "no session state found" problem. Keycloak seems to set the same site policy to strict and it seems google Chrome will enforce that at some point,

As such I want to switch the sessions storage to something else, maybe a SQL table, or SHM storage, or file storage.

How can I do that?

Environment

• lua-resty-openidc version (e.g. 1.7.6)
• OpenID Connect provider Keycloak v23

Expected behaviour

Actual behaviour

Minimized example

I tried

set $session_storage   shm;
set $session_cookie_samesite   Lax;

but this doesn't work, still no session state found.

I tried
local res, err = require("resty.openidc").authenticate(opts, nil, nil, { cookie = { storage = "shm", shm = { zone = "sessions"} } })
but this doesn't work either, no session state found.

Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

[bodewig]

You will still need a cookie which holds the session-id. You can set the Same-site value for that via configuration (see the docs of lua-resty-session). The same-site value of Keycloak shouldn't matter much (and I would have expected it to be Lax, but don't know much about Keycloak).

[bodewig]

you should probably use your browser's developer tools to see whether the cookie is set, what it looks like and if it is sent back when you return from the OIDC provider.

[bodewig]

also, please note lua-resty-openidc uses lua-resty-session 3.x, be careful to read the matching docs. I don't know whether configuration has changed in the meantime.

[netchild]

also, please note lua-resty-openidc uses lua-resty-session 3.x, be careful to read the matching docs. I don't know whether configuration has changed in the meantime.

I've seen a closed issue which says it upgraded to lua-resty-session 4.0.3. Is this not in the most recent release?

[netchild]

You will still need a cookie which holds the session-id. You can set the Same-site value for that via configuration (see the docs of lua-resty-session). The same-site value of Keycloak shouldn't matter much (and I would have expected it to be Lax, but don't know much about Keycloak).

So a SameSite value of Lax in the settings of the to-be-protected-site should work?

[netchild]

I tried with "set $session_cookie_samesite Lax;"

The first request to protected.site.tld/ does a Set-Cookie session=...;SameSite=Lax.
Second request goes to keycloak with auth?client_id=... and does a set-cookie for some keycloak stuff which looks ok too.
3rd goes to keycloak with required-action?... and does a set-cookie for some keycloak stuff which looks ok too.
4th goes to perfdata.../redirect_uri?... with a session cookie but fails with the 403 from the lua config above.

In the nginx error log I see now that the connection to keycloak is refused... strange. Other connections a few seconds before just worked.
And if I try to reload, I get the "openidc.lua:1484: authenticate(): request to the redirect_uri path but there's no session state found," error but the cookie contains a session-cookie.

Is there a way to get a more useful error message or some kind of debug output? So far I see only ERR_INVALID_RESPONSE in Edge (could also be the corporate proxy I'm behind ATM). I will try to check tomorrow with Firefox/Chrome and no proxy.