By: Dheivendiran Ramasamy user 19 Jun 2018 at 8:05 a.m. CDT

3 Responses
Dheivendiran Ramasamy gravatar
We are migrating from Apache server to Nginx(Openresty). I am using the all configuration available in Apache config to Nginx config file. It is working except logout. It returns the below error in browser(chrome) on logout. Actually the location "/secret/redirect" is not exist in server only the folder secret is exists. Because according the gluu configuration **"Populate the OIDCRedirectURI with a value that is not used by the server. The apache-filter uses the redirect_uri to process the response from the OpenID Provider (Gluu Server)."** One more thing that redirect_uri is getting used at that time of login as well(noticed in browser console) but login is working fine. Please check it all and let me know your suggestions. Thank you. Ref: https://gluu.org/docs/ce/integration/sswebapps/openidc-rp/ **Browser error on logout:** ``` This site can’t be reached The web page at https://servername.com/secret/redirect?logout=https%3A%2F%2Fservername.com%2Fportal%2F might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE ``` **Nginx server configuration:** ``` lua_package_path '~/lua/?.lua;;'; resolver 8.8.8.8; lua_ssl_trusted_certificate /etc/nginx/ssl/cert.crt; lua_ssl_verify_depth 5; # cache for discovery metadata documents lua_shared_dict discovery 1m; # cache for JWKs lua_shared_dict jwks 1m; # NB: if you have "lua_code_cache off;", use: # set $session_secret xxxxxxxxxxxxxxxxxxx; # see: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off server { listen 80; return 301 https://$host$request_uri; root /var/www/html; } server { listen 443; server_name iot.servername.com; root /var/www/html; index index.php index.html index.htm index.nginx-debian.html; ssl_certificate /etc/nginx/ssl/cert.crt; ssl_certificate_key /etc/nginx/ssl/cert.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.0-fpm.sock; } location ~ /\.ht { deny all; } location / { set $user_name ''; access_by_lua_block { local opts = { redirect_uri_path = "/secret/redirect", discovery = "https://hostname/.well-known/openid-configuration", client_id = "@!22A9 - my client id is here", client_secret = "password", scope = "openid user_name profile", redirect_uri_scheme = "https", token_endpoint_auth_method = "client_secret_basic", ssl_verify = "no", timeout = 7200, } -- call authenticate for OpenID Connect user authentication local res, err = require("resty.openidc").authenticate(opts) if err then ngx.status = 500 ngx.say(err) ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) end ngx.var.user_name = res.user.user_name #ngx.var.remote_user = res.user.user_name } } location /api/ { proxy_pass http://java-servie:8800/; proxy_set_header remote_user $user_name; proxy_set_header X-Forwarded-Proto "https"; } } ```

By Chris Blanton staff 19 Jun 2018 at 9:06 a.m. CDT

Chris Blanton gravatar
Hey Dheivendiran, I'm not expert in the lua-resty-openidc framework, but I believe the logout uri should be `<hostname>/logout` in the browser and also in your client. I could speculate further as to why, but I highly recommend looking through everything in the [lua-resty-openidc repo](https://github.com/zmartzone/lua-resty-openidc) for examples and in depth explanations. To include the issues other people have posted about.

By Dheivendiran Ramasamy user 20 Jun 2018 at 1:19 p.m. CDT

Dheivendiran Ramasamy gravatar
Hi Chris, Thanks for the reply. Already I referred lua-resty-openidc documentation actually that is not very detailed reference and the param redirect_uri_path must be relative path because lua-resty-openidc automatically adds hostname at beginning. Please let me know if you get any more information.

By Chris Blanton staff 20 Jun 2018 at 2:17 p.m. CDT

Chris Blanton gravatar
Hey Dheivendiran, According to [this issue](https://github.com/openresty/lua-nginx-module/issues/627), you can use a lua file as a sort of setter/getter and pass variables from what I can tell.