2

I am trying to configure lua-resty-openidc on an NGINX server. How can I redirect back to the Home page once the user is authenticated? When the user is authenticated the callback url is getting the code, session_state and other parameters from the server. This is causing an issue with loading once the user is authenticated. The url that the user comes back to is something like http://xyz.abc.com:8080/secured?code=32edkew2kjjjdf

https://github.com/pingidentity/lua-resty-openidc

My Configuration looks like below. I wanted to take the user back to http://xyz.abc.com:8080. What should be the redirect_uri?

 local opts = {
             -- the full redirect URI must be protected by this script and becomes:
             -- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
             redirect_uri_path = "/secured", 
             discovery = "https://accounts.google.com/.well-known/openid-configuration",
             client_id = "<client_id",
             client_secret = "<client_secret"
             --authorization_params = { hd="pingidentity.com" },
             --scope = "openid email profile",
             --iat_slack = 600,
          }
Hans Z.
  • 41,402
  • 9
  • 80
  • 105
Venkatesh Marepalli
  • 536
  • 3
  • 17

3 Answers3

2

lua-resty-openidc itself handles the redirect back to the original page that you were trying to access. You don't need to do anything specific for that, it will figure out the that URL when the authentication is triggered, see: https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L539 and store it in the session.

It will intercept the redirect back to the Redirect URI, see: https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L557 and eventually redirect back to the original URL, see https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L350

The Redirect URI itself can be any path as long as it doesn't need to serve content as lua-resty-openidc will intercept it and do its own thing. It does need to be registered with the Provider.

Hans Z.
  • 41,402
  • 9
  • 80
  • 105
  • See this issue that I posted https://github.com/pingidentity/lua-resty-openidc/issues/43 – Venkatesh Marepalli Mar 23 '17 at 18:23
  • Looks like there is an issue with session variables. When I replaced return `ngx.redirect(session.data.original_url) with return ngx.redirect("/")` it is working as expected, redirecting to Home page. I suspect there is some issue with Session variables in openidc.lua. Each time I send a new request from a new browser session I suspect it is still considering old values. It is working as expected every alternate attempt without the above change. – Venkatesh Marepalli Mar 24 '17 at 22:21
1

Redirection is defined by the redirect_uri_path option. You have put /secured in this field, so you get a redirection to http://xyz.abc.com:8080/secured?.... It you want a redirection to /, you can put redirect_uri_path = "/" in your options.

But this might not be a good solution, as your probably want to perform some handling before redirecting to the home page. The following part of nginx.conf could answer your problem:

location "=/secured" {
  access_by_lua_block {
    ... -- perform some handling
    return ngx.redirect "/"
  }
}

This location block is defined for the /secured path. It allows to perform some code before redirecting to the home page (the "/" path).

Alban Linard
  • 977
  • 7
  • 19
0

Try this module - github.com/tarachandverma/nginx-openidc This module is very easy to configure in xml syntax and provides extensive support for redirects in simple xml configuration which can be updated without ever restarting nginx webserver.

Tara Chand Verma
  • 21
  • 2