-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate lua-resty-session to 4.0.3 [tested, works] #489
Conversation
Hi. Will this get merged? @bodewig |
@bodewig |
@oldium Hello, I git cloned your branch and built it in a Dockerfile along with kong-oidc. I was hoping your changes would resolve the error I keep getting. using Docker: The route is set to redirect to Keycloak for testing auth. But I get the following error in the Kong logs when Keycloak redirects back to the route.
What am I missing? The Thanks. |
@ja-softdevel - can you list which luarocks plugins you have installed? usually, its lua-resty-session, which appears twice and causes the exact problem you are having. |
FYI: I haven't had much experience with lua. C++, Python but not lua. So still figuring out how it does things. Looks like lua-resty-session is appearing twice and lua-resty-openidc in the list:
In the Dockerfile, I'm installing 3 lua packages.:
Should I first uninstall lua-resty-openidc and lua-resty-session packages before doing the git clones? |
How did you install the plugins? You've added the Anyways,
Which is why we are talking merging this PR into the master. :) |
Newest Kong GW images use lua-resty-session 4, so I think that would not work. I guess you have this for Kong GW, right? |
Alrighty! So I added this line to the Dockerfile just after my apt updates but before doing the git clones which removed 4.0.4-1.
After I clone @oldium 's fork and set to the resty-session-4.x branch, that repo will cause lua-resty-session 4.0.5-1 to get installed. Then starting docker-compose and letting decK complete, I added the kong-oidc plugin to the (oh so lovely) '/cats' route. Only items set on the plugin were: I have deleted the image and rebuilt it. Then ran docker up/down to ensure this worked. Thank you so much @lordgreg and @oldium for the assistance. Hopefully, @bodewig can get this merged and maybe add you two as maintainers to help prevent development stall out. |
I've tested it and it seems to works for me too. |
I get the following error when trying to logout a user that happens to not be logged-in, which used to work:
Replacing lua-resty-openidc/lib/resty/openidc.lua Line 1287 in 734a3f4
if next(session:get_data()) ~= nil then
session:destroy()
end |
Thanks, I will check it |
Hi. Will this get merged? @bodewig |
So people don't need to keep asking: I can not foresee when (or even if) I will find to properly review this or #478 myself. It is my impression that lua-resty-session has also changed semantics so changing the code in way that Lua is happy will not be enough. Reports by people who have tried the patches in both PRs confirm this is not a simple "apply and all is well" fix. I do not have the cycles to understand what has changed between 3.x and 4.x over in lua-resty-session. lua-resty-openidc lacks any tests that would make use of sessions and personally I don't run any environment using lua-resty-openidc at all right now so wouldn't be able to properly test things myself. |
6250ab9
to
95d6fae
Compare
I checked it and it seems this is a problem of lua-resty-session, so I reported a bug there. I also added the suggested workaround to lua-resty-openidc and a test case until this is fixed. |
95d6fae
to
1553a39
Compare
I have renamed the Pull Request to indicate this is more up-to-date than the second (unmaintained) one. Anyway, enjoy 🚀😁 |
Just for info: We are using the code from this Pull Request in our project in
|
It looks like the tests fail randomly - |
Fixed decoding of Base64Url in tests (old issue), so they should pass now. |
I have to say that ChatGPT recommended the Base64 fix and it really worked... |
Tested working for me |
amazing work, thanks! |
@bodewig just curious if there is someone else you trust that can review lua-resty-session and how it impacts lua-resty-openidc if you are unable at the moment. I am sensitive to supply chain attacks and people trying to force/manipulate maintainers to approve things, especially an identity tools like this. So, not trying to pressure you. Just don't want to see this project get stalled, and if there is someone you trust to review this for you... |
Hi, |
@bodewig this seems to be stalled because it's not a priority for you. How can the community help get this over the line? Perhaps someone who worked on the changes from lua-resty-session could assist? Along with someone who uses lua-resty-openidc more frequently? |
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Bug in lua-resty-session does not permit calling session:destroy() on freshly started session with unset "audience" feature, so check for empty session before trying to destroy it. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Address range 192.0.2.0/24 is reserved for documentation according to RFC 5737. The recommendation is to reject routing of this address range on routers, but as this is not mandatory, it might happen that the address is really routed. The tests on Docker on Windows fail because of this it, the fail reason is different to the expected one. Fix this by configuring Nginx to listen on 127.0.0.1:80 (and not 0.0.0.0:80) and connecting to 127.1.2.3 instead of 192.0.2.1. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The mime module expects padded Base64 value, so add missing padding. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
a83609b
to
d0dc1fd
Compare
Rebased on top of master |
I believe that by now we should really merge this, as to be compliant with lua-resty-session 4.x moving forward. But we can only do so if someone can take responsibility for fixing stuff that may arise after releasing it, most probably in a v2.0.0. It appears that neither @bodewig or me are able to do that so @oldium if we could add you as a maintainer I believe we can move forward with this assuming @bodewig agrees as well. Both, please confirm. |
I can do bugfixing after release same as I did in this thread, so no problem for me. |
It is a lack of time and energy, not "not a priority", but the result is the same. I'm totally fine with adding @oldium I have glanced over the code in the past and did the same just now. I am not sure this patch is going to create a new session cookie as it no longer calls In less words this patch may bring back #190 or not, I don't really know. |
closes #464 #480 #503; thanks @oldium @balajiv113 Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
Hello @bodewig, I just meant you had other things in your life with higher priority. Which is totally understandable. I did NOT mean to imply that you didn't care. You obviously have put a lot of time and effort into this, and it is appreciated by many. |
Don't worry @justin-octo , there are no hard feelings and I didn't take it as an insult. Just wanted to explain my situation a bit. Thank you for your kind words. |
I remember investigating this and using |
The only problem could arise when multiple use of a refresh token is being prevented (when a refresh issues a new refresh token and invalidates the token used), but since a failed refresh does not update the cookie, this should only occur once when multiple requests are issued in parallel with an expired access token. |
right - and this is a situation that we also could not prevent with the |
@bodewig @oldium it seems we have feature/known-issue parity with 1.7.6 then? ; @oldium just let me know when you think we should cut a new release 1.8.0, perhaps after receiving feedback from @markbanierink in #526 (comment) ? |
The tenant-specific usage worked, so I think we can cut a new release 😊 |
Great news! Thanks everyone for all the hard work |
Complete rework of #478, all issues of #478 should be addressed. Uses
session:set
andsession:get
to manipulate the session variables.Tested by unit tests and on real-world project.