Nginx OpenIDC with Keycloak 2.5 - Redirect Loop

[rkumark]

Hello,

I have installed the lua-resty-openidc module in Nginx server and opensource keycloak server.

When I access any resource in Nginx it got redirect to Keycloak server for authentication. After authentication it redirect to Redirect URI and getting HTTP 500 server error. Am I missing something in the Redirect_Uri param?

http://nginxint.com:81/token?state=08621333464a7df9e995227744bc9d0a&code=grVpNleibVO_ogX5BhxEkgktuSEe83337xTrlvunkNo.458efbab-d1bf-4a98-89c0-9a958a3274b6

Returns HTTP 500 error.

Here is my opendic config.
access_by_lua '
local opts = {
-- the full redirect URI must be protected by this script and becomes:
-- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
-- unless the scheme is overridden using opts.redirect_uri_scheme or an X-Forwarded-Proto header in the incoming request
redirect_uri_path = "/token",
discovery = "http://keycloakint.com:8080/auth/realms/DCOS/.well-known/openid-configuration",
client_id = "NginxWS",
--client_secret = "<client_secret>"
--authorization_params = { hd="pingidentity.com" },
--scope = "openid email profile",
--iat_slack = 600,
--redirect_uri_scheme = "https",
--logout_path = "/logout",
--token_endpoint_auth_method = ["client_secret_basic"|"client_secret_post"],
--ssl_verify = "no"
}

[zandbelt]

looks like you need to configure a registered client secret that is not commented out

[rkumark]

I have the client secret, commented for testing. Here is my most recent config

access_by_lua '
local opts = {
-- the full redirect URI must be protected by this script and becomes:
-- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
-- unless the scheme is overridden using opts.redirect_uri_scheme or an X-Forwarded-Proto header in the incoming request
redirect_uri_path = "/mesos/",
discovery = "http://keycloakint.com/auth/realms/DCOS/.well-known/openid-configuration",
client_id = "NginxWS",
client_secret = "1f0b8205-aa23-48b6-9183-491b5c347218",
--authorization_params = { hd="pingidentity.com" },
scope = "openid email profile",
iat_slack = 600,
redirect_uri_scheme = "http",
--logout_path = "/logout",
-- token_endpoint_auth_method = ["client_secret_basic"|"client_secret_post"],
ssl_verify = "no"
}

[rkumark]

Thanks for the prompt response.

[zandbelt]

can you look into the error log and paste it?

[rkumark]

Here is the error log.

2017/01/19 15:27:08 [error] 32603#32603: *5 [lua] openidc.lua:294: authenticate(): state from argument: 0268b134ffd9713b0e7cbe5afe92712c does not match state restored from session: 2e02415f1c05c2e4866e146bb825f267, client: 134.132.52.220, server: ec2-54-209-213-133.compute-1.amazonaws.com, request: "GET /mesos/?state=0268b134ffd9713b0e7cbe5afe92712c&code=mc4ccfDtwnXFVtTqLLMzf0NLYk6M2C9eFJKIQVDEnL0.fbcfdf63-769f-431a-9afe-7d83b8d37ce8 HTTP/1.1", host: "ec2-54-209-213-133.compute-1.amazonaws.com:81"

[zandbelt]

Could it be that multiple parallel requests are going out at the same time?

[rkumark]

It goes in to infinite loop and fails.

What is Redirect_URI What value we need to use?
redirect_uri_path = "/redirect_uri",

Any possibility to join a web ex call to help on the lua module?

[rkumark]

I'm trying to proxy all the DCOS admin URLS via Nginx, but allow only authenticated users to DCOS admin urls.

[zandbelt]

The redirect URI is OK and correctly registered with the Provider or else you would not get to this error message; I believe multiple parallel request may be the issue here; can you provide the full log?

[rkumark]

Hello,

Here is the complete log with debug mode.
aa.zip

[rkumark]

From the log I see openidc module extracted the user id from token, not sure why its redirecting back to keycloak again and again.

2017/01/19 17:07:02 [debug] 1212#1212: *4 [lua] openidc.lua:274: openidc_call_userinfo_endpoint(): userinfo response: {"sub":"a1d3a221-2552-4e37-8e7e-5b44e8e376b6","name":"","preferred_username":"admin"}

[zandbelt]

I believe the error may be in your config: the redirect URI is a special case that is handled by lua-resty-openidc itself just be defining it; you should not try to access it directly from the browser; take a look at the sample configs that would show you protect a certain path "/" which is also the path that you access from the browser, not trying to hit the redirect URI directly.

There's room for documentation improvement indeed ;-)

[rkumark]

Can I leave the Redirect_URI blank? basically if I access example:

http://awsamazon.com/secured, After authentication redirect back to http://awsamazon.com/secured instead of http://awsamazon.com/redirect_uri

Second question, I would like to protect everything at the root example

http://awsamazon.com/ Lets protect everything under /

[zandbelt]

then protect "/" with your access_by_lua statement and use /secured as the redirect_uri_path setting, similar to the sample from the README here: https://github.com/pingidentity/lua-resty-openidc#sample-configuration-for-google-signin

but you can't serve real content on /secured then anymore, that's why you'd typically use a redirect_uri_path like /redirect_uri or /secured/redirect_uri; it's a "vanity URL" that handles protocol messages, it cannot serve content

[rkumark]

Still having the issue, I have secured at root level, but it keep on redirecting back and forth until browser throws error. Changed redirect uri back to redirect_uri and access the website as
http://awsamazon.com/

example:
location / {
include nginxoidc.conf;

nginxoidc.conf
local opts = {
-- the full redirect URI must be protected by this script and becomes:
-- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
-- unless the scheme is overridden using opts.redirect_uri_scheme or an X-Forwarded-Proto header in the incoming request
redirect_uri_path = "/redirect_uri",
discovery = "http://ec2-54-209-213-133.compute-1.amazonaws.com:8080/auth/realms/DCOS/.well-known/openid-configuration",
client_id = "NginxWS",
client_secret = "secret",
authorization_params = { hd="amazonaws.com" },
scope = "openid email profile",
iat_slack = 600,
redirect_uri_scheme = "http",
--logout_path = "/logout",
-- token_endpoint_auth_method = ["client_secret_basic"|"client_secret_post"],
token_endpoint_auth_method = "client_secret_basic",
ssl_verify = "no"
}