openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found. KONG_X_SESSION_SECRET's been set.

Question

openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found. KONG_X_SESSION_SECRET's been set.

SecFromTheNest opened this issue a year ago · comments

Got this error when redirected back after successfully logged in from Keycloak.

openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: kong, request: "GET /cb?state=8c3eae03d96abf7ce7b9f91d0229fce2&session_state=0a7a489c-b5ba-4aeb-8f6b-52dc7481b596&code=d4eba5ac-ab77-4b5a-b7f4-b18efd9ac708.0a7a489c-b5ba-4aeb-8f6b-52dc7481b596.18885a48-8ea5-4d78-8eae-9fc2478fb0e5 HTTP/1.1", host: "localhost:18000"

OP: Keycloak.

-e KONG_X_SESSION_SECRET=Q211IzIwMTc=
-e KONG_X_SESSION_NAME=oidc_session \

kong-oidc session_secret set to Q211IzIwMTc=

Cristian Chiru · Answer 1 · Fri Mar 24 2023 18:10:16 GMT+0800 (China Standard Time)

I assume you use 3.2.2-2?
I assume there is only 1 instance of keycloak?
Can you please provide the full command line that you have started kong with?

Nguyễn Xuân Nhị · Answer 2 · Mon Mar 27 2023 09:18:54 GMT+0800 (China Standard Time)

#!/bin/bash

cd `readlink -f $0 | grep -o '.*/'`
. common.sh

set -x
docker run -d -it \
    --network=kong-net \
    --name $DOCKER_CONTAINER \
    --hostname $DOCKER_CONTAINER \
    -e KONG_LOG_LEVEL=info \
    -e KONG_ADMIN_ACCESS_LOG=/dev/stdout \
    -e KONG_ADMIN_ERROR_LOG=/dev/stderr \
    -e KONG_ADMIN_GUI_ACCESS_LOG=/dev/stdout \
    -e KONG_ADMIN_GUI_ERROR_LOG=/dev/stderr \
    -e KONG_PORTAL_API_ACCESS_LOG=/dev/stdout \
    -e KONG_PORTAL_API_ERROR_LOG=/dev/stderr \
    -e KONG_PROXY_ACCESS_LOG=/dev/stdout \
    -e KONG_PROXY_ERROR_LOG=/dev/stderr \
    -e KONG_ANONYMOUS_REPORTS='false' \
    -e KONG_CLUSTER_LISTEN='off' \
    -e "KONG_DATABASE=postgres" \
    -e "KONG_PG_HOST=kong-database" \
    -e "KONG_PG_PASSWORD=kongpass" \
    -e "KONG_PASSWORD=test" \
    -e KONG_LUA_PACKAGE_PATH='/opt/?.lua;/opt/?/init.lua;;' \
    -e KONG_NGINX_WORKER_PROCESSES='1' \
    -e KONG_PLUGINS='bundled,oidc,cookies-to-headers' \
    -e KONG_ADMIN_LISTEN='0.0.0.0:8001' \
    -e KONG_PROXY_LISTEN='0.0.0.0:8000, 0.0.0.0:8443 http2 ssl' \
    -e KONG_STATUS_LISTEN='0.0.0.0:8100' \
    -e KONG_NGINX_DAEMON='off' \
    -e KONG_X_SESSION_MEMCACHE_PORT="'1234'" \
    -e KONG_X_SESSION_COMPRESSOR=zlib \
    -e KONG_X_SESSION_SECRET=Q211IzIwMTc= \
    -e KONG_X_SESSION_NAME=oidc_session \
    -p $KONG_LOCAL_ADMIN_PORT:8001 \
    -p $KONG_LOCAL_HTTP_PORT:8000 \
    -p $KONG_LOCAL_HTTPS_PORT:8443 \
    $DOCKER_IMAGE \
    $*

This is my run.sh file. Yes I'm using 3.2.2-2 and having only 1 instance of Keycloak running

Cristian Chiru · Answer 3 · Tue Mar 28 2023 06:07:08 GMT+0800 (China Standard Time)

Indeed, seems to be caused by breaking changes in lua-resty-session 4 (used by kong 3.2.x). Ref: #37 (comment)

Please use cristianchiru/docker-kong-oidc:3.2.2-3 - should fix the issue.

Nguyễn Xuân Nhị · Answer 4 · Tue Mar 28 2023 10:22:08 GMT+0800 (China Standard Time)

Issue fixed. Thank you very much!