lua-resty-openidc is a certified OIDC and OAuth library built onto openresty. While openresty is a reverse proxy built on nginx with lua and luaJit embedded, which greatly upgrade nginx’s capability.
lua-resty-openidc is able to authenticate and authorize the client with compliant OP (keycloak in my case). However, I was facing issues with infinite redirects:
location /test { access_by_lua_block { local opts = {
discovery = "http://keycloak/...../.well-known/openid-configuration",
redirect_uri_path = "/test",
accept_none_alg = true,
client_id = "xxxx",
client_secret = "xxxxx",
use_nonce = true,
revoke_tokens_on_logout = true,
} local res, err, url, session = require("resty.openidc").authenticate(opts) if err or not res then
ngx.status = 403
ngx.say(err and err or "no access_token provided")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
default_type text/html;
content_by_lua 'ngx.say("<p>hello, world here from test</p>")';
}
for above block, I was expecting the library able to direct the client to keycloak authentication at first time, then subsequently redirect back to the redirect_uri /test, which then see the client is already authenticated, and proceed to the content_by_lua` block.
however, instead, it’s facing a infinite redirect between keycloak and redirect_url: https://github.com/zmartzone/lua-resty-openidc/issues/32#issuecomment-656035986
the final solution is to put the control block (access_by_lua) after location /, then worked out
===================================================
a follow up to the original post, the redirect_uri itself could be causing the issue. Instead of pointing it to a final landing page, point it to a intermittent place which would then be directed to the original place (the protected location) should sort the problem as well.
