lua-resty-openidc is a certified OIDC and OAuth library built onto openresty. While openresty is a reverse proxy built on nginx with lua and luaJit embedded, which greatly upgrade nginx’s capability.

lua-resty-openidc is able to authenticate and authorize the client with compliant OP (keycloak in my case). However, I was facing issues with infinite redirects:

location /test {      access_by_lua_block {        local opts = {
discovery = "http://keycloak/...../.well-known/openid-configuration",
redirect_uri_path = "/test",
accept_none_alg = true,
client_id = "xxxx",
client_secret = "xxxxx",
use_nonce = true,
revoke_tokens_on_logout = true,
local res, err, url, session = require("resty.openidc").authenticate(opts) if err or not res then
ngx.status = 403
ngx.say(err and err or "no access_token provided")
default_type text/html;
content_by_lua 'ngx.say("<p>hello, world here from test</p>")';

for above block, I was expecting the library able to direct the client to keycloak authentication at first time, then subsequently redirect back to the redirect_uri /test, which then see the client is already authenticated, and proceed to the content_by_lua` block.

however, instead, it’s facing a infinite redirect between keycloak and redirect_url:

the final solution is to put the control block (access_by_lua) after location /, then worked out


a follow up to the original post, the redirect_uri itself could be causing the issue. Instead of pointing it to a final landing page, point it to a intermittent place which would then be directed to the original place (the protected location) should sort the problem as well.