Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug when calling bearer_jwt_verify with cache_segment #431

Merged
merged 2 commits into from
Apr 23, 2022
Merged

Bug when calling bearer_jwt_verify with cache_segment #431

merged 2 commits into from
Apr 23, 2022

Conversation

usysrc
Copy link
Contributor

@usysrc usysrc commented Apr 22, 2022

Calling bearer_jwt_verify fails because gsub is used incorrectly. This PR fixes the calls to gsub.

The error:

2022/04/22 07:18:01 [error] 9#9: *6 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/openidc.lua:1789: bad argument #3 to 'gsub' (string/function/table expected)
stack traceback:
coroutine 0:
	[C]: in function 'gsub'
	/usr/local/openresty/lualib/resty/openidc.lua:1789: in function 'get_jwt_verification_cache_prefix'
	/usr/local/openresty/lualib/resty/openidc.lua:1799: in function 'get_cached_jwt_verification'
	/usr/local/openresty/lualib/resty/openidc.lua:1817: in function 'jwt_verify'
	/usr/local/openresty/lualib/resty/openidc.lua:1860: in function 'bearer_jwt_verify'
	access_by_lua(nginx.conf:76):23: in main chunk, client: 172.17.0.1, server: , request: "GET / HTTP/1.1", host: "localhost:8080"

A minimal nginx.conf used to test this:

events {
  worker_connections 128;
}

http {

  lua_package_path '~/lua/?.lua;;';

  resolver 8.8.8.8;

  lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
  lua_ssl_verify_depth 5;

  # cache for discovery metadata documents
  lua_shared_dict discovery 1m;
  # cache for JWKs
  lua_shared_dict jwks 1m;
  # cache for jwt_verify
  lua_shared_dict jwt_verification 1m;

  # NB: if you have "lua_code_cache off;", use:
  # set $session_secret xxxxxxxxxxxxxxxxxxx;
  # see: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off

  server {
    listen 8080;

    location / {

      access_by_lua_block {
          local opts = {
            discovery = "https://accounts.google.com/.well-known/openid-configuration",
            cache_segment = "openidc_app",
          }

          -- call bearer_jwt_verify for OAuth 2.0 JWT validation
          local res, err = require("resty.openidc").bearer_jwt_verify(opts)

           if err or not res then
            ngx.status = 403
            ngx.say(err and err or "no access_token provided")
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end

          ngx.req.set_header("X-USER", res.id_token.sub)
      }

      proxy_pass http://localhost:80;
    }
  }
}

@bodewig
Copy link
Collaborator

bodewig commented Apr 22, 2022

strange this slipped through. Many thanks.

Would you please add yourself to the AUTHORS file @usysrc ?

@bodewig bodewig added the bug label Apr 22, 2022
@bodewig bodewig merged commit befbd1b into zmartzone:master Apr 23, 2022
@pratheekrebala
Copy link

Thank you for fixing this! Is there an ETA for a release with this bug fix?

@usysrc usysrc mentioned this pull request Jul 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants