openidc / ngx_oauth2_module Goto Github PK

First, thanks for these modules. I have some Apache servers which work flawlessly for months.
I have to port some of my traffic to nginx on RHEL9, so I'm testing the ngx-oauth2 module.

My lab setup is just the translated apache one :

 location /protected {
          OAuth2TokenVerify $source_token metadata https://cognito-idp.eu-west-1.amazonaws.com/XXX/.well-known/openid-configuration verify.iat=skip ;

          add_header X-USER $jwt_username ;

          OAuth2Claim sub $jwt_sub;
          OAuth2Claim cognito:username $jwt_username;
          OAuth2Claim email $jwt_email;
          OAuth2Claim token_use $jwt_token_use;

          proxy_pass ...
}

Test with token is fine

curl "rhel9-ci:8080/protected/?$RANDOM" -H "Authorization: bearer $TOKEN" -iI
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 17 Jun 2024 21:48:00 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Mon, 17 Jun 2024 17:43:16 GMT
Connection: keep-alive
ETag: "667075b4-f"
X-USER: mycognito.myuser
Accept-Ranges: bytes

However env variables keep set on next request, even without token

curl "rhel9-ci:8080/protected/?$RANDOM" -iI
HTTP/1.1 200 OK
...
X-USER: mycognito.myuser

In debug mode I can see this when no token provided

[debug] 15738#15738: *73 # ngx_oauth2_handler: ngx_http_complex_value ngx_source_token.len=0
[debug] 15738#15738: *73 # ngx_oauth2_handler: leave: -5
...
[debug] 15738#15738: *73 ngx_oauth2_claim_variable: cognito:username=xxxx
[debug] 15738#15738: *73 http script var: "xxxx"

So i suspect that some context is not freed between requests, and variables value are kept from one run to another.
Does someone have an hint ?

My env

Red Hat Enterprise Linux release 9.4 (Plow)
cjose-0.6.2.3-1.el9.x86_64
liboauth2-1.6.2-1.el9.x86_64
liboauth2-nginx-1.6.2-1.el9.x86_64
nginx-1.20.1-14.el9_2.1.x86_64
nginx-core-1.20.1-14.el9_2.1.x86_64
nginx-filesystem-1.20.1-14.el9_2.1.noarch
nginx-mod-oauth2-3.4.0-1.el9.x86_64

Hi,

I am trying to enable oauth2 for nginx proxy services. I have installed and configured nginx_oauth2_module using the below instructions. I have all the dependencies installed. After adding oAuth2 configurations in nginx.conf unable to restart the nginx service. I am getting below error. Please help me troubleshoot the issue.

https://github.com/OpenIDC/ngx_oauth2_module

nginx.conf:

location /oauth2/pingfed/introspect {
OAuth2TokenVerify $source_token introspect
https://pingfed:9031/as/introspect.oauth2
introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate;

        OAuth2Claim sub $pfc_introspect_sub;
        OAuth2Claim username $pfc_introspect_username;
        OAuth2Claim active $pfc_introspect_active;

        proxy_set_header OAUTH2_CLAIM_sub $pfc_introspect_sub;
        proxy_set_header OAUTH2_CLAIM_username $pfc_introspect_username;
        proxy_set_header OAUTH2_CLAIM_active $pfc_introspect_active;
        proxy_pass http://echo:8080/headers$is_args$args;
    }

Error:
[emerg] 1960146#1960146: dlsym() "/etc/nginx/modules/liboauth2.so", "ngx_modules" failed (/etc/nginx/modules/liboauth2.so: undefined symbol: ngx_modules) in /etc/nginx/nginx.conf:13

When starting up nginx built with the ngx_oauth2_module on 64-bit SPARC (niagara4) on Solaris 10 with gcc 5.5.0, nginx dumps core with a SIGBUS error:

Program terminated with signal SIGBUS, Bus error.
#0 0x0000000100166f54 in ngx_openidc_set_claim (cf=0xffffffff7ffff480,
cmd=0x1002efe70 <ngx_openidc_commands+336>, conf=0x100370380)
at /home/webops/myghadm/src/ngx_openidc_module-master/src/ngx_openidc_module.c:144
144 claim->name = oauth2_strndup((const char *)value[1].data, value[1].len);

As SPARC is sensitive to alignment issues, I expect that this is a platform-specific issue.

My OpenIDC config (redacted, from the server location section of a very generic nginx.conf) is attached at OpenIDC-Config.txt.

The stack trace from the core file is attached as gdb_ngx_core.txt.

I'm happy to provide any additional information on this issue, and any further assistance to help resolve this.
Thanks for taking a look!

OpenIDC-Config.txt
gdb_ngx_core.txt

is there way to support id token here?

Hans,

I'm trying to compile this module from source as the .deb packages are for a pretty older version of nginx (trying to install and use them on the default nginx docker container of bookworm gives an error regarding "version X instead of Y"). However, after fumbling about for days of trial and error I just can seem to get a .so file from following your workflow script in github or I get configure or make errors when trying to follow the official nginx documentation on compiling dynamic modules. Any help would be appreciated.