Ability to configure an "external" redirect_uri, as well as a "local" path to recognize as an authorization callback

[raythree]

As mentined in this comment:

#450 (comment)

Our application is using an nginx sidecar with lua-resty-openidc, and our application is behind an inbound reverse proxy that uses URLs with a prefix like "app-name" as in "https://app-name/some/path" to route. But our application is not aware of "app-name" and only looks for paths like /some/path. We thought that we could use:

opts.redirect_uri => Configure the full redirection URI to give to the auth server (https://host/app-name/callback)
opts.redirect_uri_path => Configure the path to recognize as in inbound authorization callback (/callback)

It seems that if we put the "opts.redirect_uri_path" in FRONT of the "and" statement that this would work:

https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1437

However the code also indicates that "redirect_uri_path" is deprecated. It would be nice if it could be used as suggested above, where the external URL that the authorization server needs to redirect to is different from the path used to recognize it as an authorization callback.

[bodewig]

Not sure when I will get to this, but I think I'd prefer a new separate configuration parameter to make its purpose more clear. Need to think about it again, though.

[raythree]

Thanks. Any two properties are fine, as long as one means "this is the URL that you need to provide as the redirect_url to the authorization server", and "this is the path is used to recognize it as a redirection callback" will work. For now, we are using the full path (redirect_uri), and then rather than having our front end router strip the path they proxy with the full path, and we strip it out in our sidecar, just after the open resty Lua block, but before going to the application. But long term, it is better to have our front end router strip it, then all applications can use the same sidecar (that does not need to strip an app-specific path).

[bodewig]

Sorry, it took longer than I had hoped. A new opts.local_redirect_uri_path has been added to the master branch just now.

[raythree]

Thank you! Just saw this now, which is good timing as we are updating our sidecar. Will give this a try.

[bodewig]

this is part of the 1.7.6 release.

[thanhdm86]

Dear Mr. @bodewig :
I am stucking with the problem:
[lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found,

And this is my lua:
access_by_lua '
local opts = {
redirect_uri_path = "/redirect_uri",
accept_none_alg = true,
discovery = "http://10.0.1.147:8080/auth/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "3df1bcaa-891f-4474-8c4c-6ab5944fa9ab",
redirect_uri_scheme = "http",
ssl_verify = "no",
logout_path = "/logout",
redirect_after_logout_uri = "http://10.0.1.147:8080/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http://10.0.1.146",
redirect_after_logout_with_id_token_hint = true,
session_contents = {id_token=true}
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)

     if err then
       ngx.status = 403
       ngx.say(err)
       ngx.exit(ngx.HTTP_FORBIDDEN)
     end
  ';

could you help me to solves this ?
thank you very much