request to the redirect_uri path but there's no session state found

[Dark3clipse]

Environment

• lua-resty-openidc version: 1.7.6-3
• OpenID Connect provider: Keycloak

Expected behaviour

The 'request to the redirect_uri path but there's no session state found' should be resolved in 1.7.6-3. It is not resolved for me.

I will walk through my configuration.

Building the container

Dockerfile:

FROM openresty/openresty:1.21.4.2-0-alpine-fat

# Install prerequisites
RUN apk update && \
    apk add --no-cache curl perl

# Download and build NGINX with LDAP module
RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-http"
RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-jwt"
RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-openidc"

Build logs:

DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

Sending build context to Docker daemon  2.048kB
Step 1/6 : FROM openresty/openresty:1.21.4.2-0-alpine-fat
 ---> b964c56feb36
Step 2/6 : LABEL maintainer="[email protected]"
 ---> Using cache
 ---> 0bd326473856
Step 3/6 : RUN apk update &&     apk add --no-cache curl perl
 ---> Using cache
 ---> aa8cbad886e2
Step 4/6 : RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-http"
 ---> Using cache
 ---> 22910ceac720
Step 5/6 : RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-jwt"
 ---> Running in 5513c1f5ccbe
Installing https://luarocks.org/lua-resty-jwt-0.2.3-0.src.rock
Missing dependencies for lua-resty-jwt 0.2.3-0:
   lua-resty-openssl >= 0.6.8 (not installed)

lua-resty-jwt 0.2.3-0 depends on lua >= 5.1 (5.1-1 provided by VM)
lua-resty-jwt 0.2.3-0 depends on lua-resty-openssl >= 0.6.8 (not installed)
Installing https://luarocks.org/lua-resty-openssl-0.8.24-1.src.rock

lua-resty-openssl 0.8.24-1 is now installed in /usr/local/openresty/luajit (license: BSD)

lua-resty-jwt 0.2.3-0 is now installed in /usr/local/openresty/luajit (license: Apache License Version 2)

Removing intermediate container 5513c1f5ccbe
 ---> 51b8d728e3b1
Step 6/6 : RUN /usr/local/openresty/luajit/bin/luarocks install "lua-resty-openidc"
 ---> Running in 9f4908a53a94
Installing https://luarocks.org/lua-resty-openidc-1.7.6-3.src.rock
Missing dependencies for lua-resty-openidc 1.7.6-3:
   lua-resty-session >= 2.8, <= 3.10 (not installed)

lua-resty-openidc 1.7.6-3 depends on lua >= 5.1 (5.1-1 provided by VM)
lua-resty-openidc 1.7.6-3 depends on lua-resty-http >= 0.08 (0.17.1-0 installed)
lua-resty-openidc 1.7.6-3 depends on lua-resty-session >= 2.8, <= 3.10 (not installed)
Installing https://luarocks.org/lua-resty-session-3.10-1.src.rock

lua-resty-session 3.10-1 depends on lua >= 5.1 (5.1-1 provided by VM)
lua-resty-session 3.10-1 is now installed in /usr/local/openresty/luajit (license: BSD)

lua-resty-openidc 1.7.6-3 depends on lua-resty-jwt >= 0.2.0 (0.2.3-0 installed)
lua-resty-openidc 1.7.6-3 is now installed in /usr/local/openresty/luajit (license: Apache 2.0)

Removing intermediate container 9f4908a53a94
 ---> 04b822a09453
Successfully built 04b822a09453
Successfully tagged registry.example.org/openresty:latest
Successfully tagged registry.example.org/openresty:1.1

As you can see, it pulled lua-resty-session 3.10-1

NGINX

My nginx server has the following access_by_lua block in front of a path:

access_by_lua '
		local opts = {
			redirect_uri = "https://myservice.example.org/redirect_uri",
			accept_none_alg = true,
			discovery = "https://myservice.example.org/auth/realms/production/.well-known/openid-configuration",
			client_id = "### censored ###",
			client_secret = "### censored ###",
			scope = "openid",
			redirect_uri_scheme = "https",
			logout_path = "/logout",
			redirect_after_logout_uri = "https://keycloak.example.org/auth/realms/production/protocol/openid-connect/logout?redirect_uri=https://myservice.example.org/",
			redirect_after_logout_with_id_token_hint = false,
			session_contents = {id_token=true},
			ssl_verify = false
		}
		-- call introspect for OAuth 2.0 Bearer Access Token validation
		local res, err = require("resty.openidc").authenticate(opts)
		if err then
			ngx.status = 403
			ngx.say(err)
			ngx.exit(ngx.HTTP_FORBIDDEN)
		end
	';

Behavior

After successful login I am not redirected. In the logs I find:

2023/08/16 18:37:02 [error] 7#7: *13 [lua] openidc.lua:1484: authenticate(): request to the redirect_uri path but there's no session state found, client: 10.32.0.1, server: service.example.org, request: "GET /redirect_uri?state=809115afxxxxxxxxxxxxx66ddaxxxxxxx&session_state=aa8618bc-xxxx-4131-b40f-xxxxxxxx&code=xxxab4f4-54c7-xxxx-a433-74xxx51ba5ad.xxxx18bc-cf5f-xxxx-b40f-51680fxxxxxxx.64e5415-f06d-483b-8711-acxxxx233ba HTTP/2.0", host: "service.example.org"

Which seems to be related to #480, but I did not install session > v4.0

To verify, I run a shell script in my container and execute:

nginx:/# luarocks list

Rocks installed for Lua 5.1
---------------------------

lua-resty-http
   0.17.1-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1

lua-resty-jwt
   0.2.3-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1

lua-resty-openidc
   1.7.6-3 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1

lua-resty-openssl
   0.8.24-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1

lua-resty-session
   3.10-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1

[Clivern]

maybe you need a session secret, see bungle/lua-resty-session#23

[Dark3clipse]

maybe you need a session secret, see bungle/lua-resty-session#23

This solved my issue, finally I can put my debugging efforts to rest :) Thanks! I will close the issue.