missing session cookie - from lua resty openidc

[dhavalkshah]

Context:
I am trying to use Kong + OpenIDC (Custom plugin), based on nokia/kong-oidc
The setup is using docker desktop.

I run luarocks install lua-resty-openidc while building the custom kong image.

Following the code-snippet from my handler.lua:

local res, err = require("resty.openidc").authenticate(oidcConfig)
    if err then
        if oidcConfig.recovery_page_path then
            ngx.log(ngx.NOTICE, "Entering recovery page: " .. oidcConfig.recovery_page_path)
            ngx.redirect(oidcConfig.recovery_page_path)
        end
        utils.exit(500, err, ngx.HTTP_INTERNAL_SERVER_ERROR)
    end

I get the following error:
attempt to call method 'start' (a nil value), client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"

I figured that it was from session:start() present in openidc.
It seemed that session was not getting initialized, so I tried similar in my local handler.lua.
Following is the code from my local handler.lua (inspired from openidc)

    local session, err, ret = require("resty.session").open(nil)
    if (session ~= nil) then
        ngx.log(ngx.NOTICE,"session is not nil")
        ngx.log(ngx.DEBUG,
            "session.present=", session.present,
            ", session.data.id_token=", session.data.id_token ~= nil,
            ", session.data.authenticated=", session.data.authenticated,
            ", err=", err,
            ", ret=",ret
        )
        session:start()
    else
        ngx.log(ngx.NOTICE, "Session is nil")
    end

I observe that session is not null and err is printed is as "missing session cookie".
Here is the snippet of the logs

2024-10-07 11:16:12 2024/10/07 05:46:12 [notice] 2413#0: *20313 [lua] handler.lua:73: make_oidc(): OidcHandler calling authenticate, requested path: /mock, client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"
2024-10-07 11:16:12 2024/10/07 05:46:12 [notice] 2413#0: *20313 [lua] handler.lua:76: make_oidc(): session is not nil, client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"
2024-10-07 11:16:12 2024/10/07 05:46:12 [debug] 2413#0: *20313 [lua] handler.lua:77: make_oidc(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, err=missing session cookie, ret=false
2024-10-07 11:16:12 2024/10/07 05:46:12 [error] 2413#0: *20313 [kong] init.lua:426 [fountane-oidc] ...cal/share/lua/5.1/kong/plugins/fountane-oidc/handler.lua:84: attempt to call method 'start' (a nil value), client: 172.18.0.1, server: kong, request: "GET /mock HTTP/1.1", host: "localhost:8000", request_id: "7df8870a8d3fa916cf1c5a540f2b9f3f"

Not sure what am I missing here.
Any pointers are appreciated.

[chrissnell]

I'm having the identical issue. Interested to see if you ever figured it out. It seems like the cookie cannot be read by resty.session when the request comes in. I see the client presenting the cookie but the read fails. I am using lua-resty-session within Kong 3.9 and this fork of kong-oidc.

[seboudry]

Hi @chrissnell !
We also use Kong 3.9 with a fork of revomatic/kong-oidc.

Did you succeed installation?

[chrissnell]

Hi @chrissnell ! We also use Kong 3.9 with a fork of revomatic/kong-oidc.

Did you succeed installation?

No! I still haven't figured this out. Did you get it working? Can you link me to your fork? Thanks.

[seboudry]

Might work with our fork https://github.com/QuickSign/kong-oidc.

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

For example:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: oidc-company-sso-my-app
  annotations:
    kubernetes.io/ingress.class: kong-private
plugin: oidc
config:
  client_id: my_app_client_id
  client_secret: my_app_clien-secret
  discovery: https://sso.company.com/my-app/.well-known/openid-configuration
  redirect_uri: https://my-app.company.com/redirect_uri

Can you test it too @chrissnell?

[chrissnell]

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

Setting this to a non-existing path just sends the client to the main page of my application. How do I get this to redirect back to the particular path (URI) that we are trying to protect with OIDC?

[kou0312-png]

I faced same issue that OIDC cookie would be lost after upgrading lua-session 4.1.1.
4.0.5 is working fine for this.

[seboudry]

And by setting redirect_uri with an unexisting path (previously, we used https://my-app.company.com/*).

Setting this to a non-existing path just sends the client to the main page of my application. How do I get this to redirect back to the particular path (URI) that we are trying to protect with OIDC?

Client should be redirect to the first URI he tried to reach before being handled by OIDC workflow.

[bungle]

@kou0312-png, the 4.1.2 ia now released.