Setting config.session_secret without setting a $session_secret on Kong breaks the plugin

[asjongers]

Hi,

Setting config.session_secret (even to a correct base64 encoded value) breaks the plugin if the $session_secret variable has not been set on Kong.

The problem disappears if you set it first on Kong (I use it in a docker environment where you can set it with the following ENV variable KONG_NGINX_PROXY_SET: "$$session_secret <yoursecret>") but then I'm not sure why you would set it through the plugin in the first place.

Couldn't that whole feature be dropped and a recommendation to set a session_secret in your Kong configuration be added in the documentation?

As a side-note, we encountered that problem when trying to fix an issue where loading static files for Kibana behind Kong would fail, thus leading us to #78 and after some more research to #1 where we discovered that setting session_secret properly on Kong itself would solve all our issues.

Thanks.

[z-aliakseyeu]

Hello @asjongers!
This is really great comment and seems you've fixed issue with request to the redirect_uri_path but there's no session state found after redirect.
I've been using kong as part of docker setup and added that environment variable without adding session_secret to the plugin. But whenever i add both - i have error kong error 500.
Can you please give more detailed information how did you fix an issue?
Some information about my setup:

// docker-compose.yml env variable
- KONG_NGINX_PROXY_SET="$$session_secret perfect_s3cr3+"

kong version: 0.13.0
plugin version: current master installed with luarocks install kong-oidc

If you would be able to give some more information or any clue to the issue, would be great! 🙏

Thank you

[asjongers]

Hi @z-aliakseyeu.

In our case, we stopped using config.session_secret as it would just end up overriding the one already set but if you really do need to set one, make sure you provide a properly base64 encoded secret or your service will probably end up sending a 500 response because of this if clause:

  if config.session_secret then
    local decoded_session_secret = ngx.decode_base64(config.session_secret)
    if not decoded_session_secret then
      utils.exit(500, "invalid OIDC plugin configuration, session secret could not be decoded", ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR))
    end
    ngx.var.session_secret = decoded_session_secret
  end

If it's not already the case, try setting config.session_secret to a proper base64 encoded secret and see if it works! You could use this website to generate one.