Hi,
the OID_REDIRECT_PATH always resolves to http://localhost/<the_value_from_OID_REDIRECT_PATH>

however if you want to resolve to a different url (e.g. when using this with AWS cognito), this fails

Hello

I see that out of the box your nginx configuration doesn't handle websocket proxy
Missing 2 directives :

proxy_set_header Connection        "Upgrade";
proxy_set_header Upgrade           $http_upgrade;

It can be good to be able to use it (OR) :

• By default / for all, updating directives here
• Using dedicated env var like ENABLE_WSS_SUPPORT or so
• ...

Thanks for the work !

Regards

I was looking for a openid connect op reverse proxy to authenticat with Azure AD and sit in openshift in front of an application server assuming I get it all to run and run not as root.
Initially I had the problem noted above on the checking issuer.
I tried the latest release of the lua-resty files listed in the docker file, trying all the master releases and got the error
"There was an error while logging in: request to the redirect_uri path but there's no session state found"
It looks like the error in
zmartzone/lua-resty-openidc#213
The error is raised line 1324 of openidc.lua as the session isn't present from the error called.
I'm grateful for any thoughts. I tried turning debug on in the dockerfile and rebuilding, but maybe I need to do that in the openresty docker to get that to work to provide more information.

lua-resty-openidc version 1.7.0 removes a check where lua-resty-openidc requires issuer to be == to the discovery URL domain
zmartzone/lua-resty-openidc#219

The check can be a problem with working with Azure AD e.g.
zhzy0077/lua-resty-openidc-azure-ad@18bd904

Any chance of updating the version of openIDC used to 1.7.0 in the DockerFile so it works with Azure OpenID Connect?
Assuming I've not misunderstood something.
Thanks. John.

Hey,

I used this repo to successfully place a proxy in of the kubernetes dashboard. I only have one little problem. At this moment this repo does not have "official" releases or versions. The image deployed on docker hub is tagged as latest. I would like for it to have a version number so I can use without worrying that a new version will break my setup.

Stijn De Haes

I want to know if this could be used to act as a reverse proxy that.

Essentially I have a lot of services that are not capable of doing the OIDC flow, but have an API backend that supports OIDC and would like to use it.

I was wondering if I could use this as a reverse proxy to allow a another container access to an OIDC protected cloud API.

Thanks!

Hey,
we are a ReactJS application with OICD (same as your example with your Nginx image), and we experience the following issue:

A user who hasn't been active for few hours and attempts to keep working gets errors until the site is hard refreshed.

By watching the Network tab in the developer tools we get CORS error with the our Authorization Server for some reason.
Moreover, this behavior started after we moved to OIDC authentication (we used Kerberos before).

In addition, in our environment each user is a member of many security groups, that fact causes the ID token and the Access token to be very large, therefore our session cookie is extremely large.
Are there any solutions to this problem?
Thank you!

When browsing to http://<ip>:<port>/ I get
There was an error while logging in: accessing discovery url (https://example.net/auth/realms/master/.well-known/openid-configuration) failed: handshake failed

When attaching to the docker console, if I do curl https://example.net I get
curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version

I use nginx as a reverse proxy. This is my nginx config. Other docker containers or browsers have no problems with retrieving this url.

    server {
        listen  443 ssl;
        server_name  example.net;
        ssl_certificate     <location to cert>;
        ssl_certificate_key <location to cert>;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers off;
        root /usr/share/nginx/html;
        
        location / {
            proxy_pass http://<ipofservice>:<portofservice>;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

oidc-proxy image run as root, which is not possible when using OpenShift v3.
Please consdier running the image as another user.

openidc.lua:486: failed: 18: self signed certificate, client: 172.24.0.1, server: _, request: "GET / HTTP/1.1", host: "localhost:9099"

version: '3'

services:
  fathom:
    image: usefathom/fathom:latest
    command: ./fathom --config=/config/.env server
    depends_on:
      - postgres_fathom
    volumes:
      - ./fathom.env:/config/.env
    ports:
      - 8446:8080

  postgres_fathom:
    image: postgres:latest
    volumes:
      - ./data:/var/lib/postgresql/data
      - db_data:/var/lib/postgresql/data
    environment:
      PGDATA: /var/lib/postgresql/data/fathom
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

  nginx_openid:
    image: "evry/oidc-proxy"
    environment: 
      - OID_DISCOVERY=https://localhost:8444/auth/realms/master/protocol/openid-connect/auth
      - OID_CLIENT_ID=nginx
      - OID_CLIENT_SECRET=0fd32218-8e31-45ac-8b53-d6b523ab99b6
      - PROXY_HOST=fathom
      - PROXY_PORT=8446
      - PROXY_PROTOCOL=https
      - OID_SESSION_CHECK_SSI=off
      - OID_SESSION_NAME=oidc_auth
      - OID_REDIRECT_PATH=/redirect_uri
    ports:
     - "9099:80"

I'm currently using Apache with mod_auth_openidc, and I specify OIDCCryptoPassphrase. In order to switch to this proxy, wouldn't I also have to specify this? I don't see a way to do it?

The keycloak container isn't persistent...
The keycloak client secret is known only after creating the client, but when the docker-compose file is running you can't change the env vars of the proxy container... once you change the environment variable you need to restart the compose file, which restarts keycloak and resets the client.

What I did is i added a persistent postgres container & set keycloak to use the postgres db.

do we have helm chart deployment for the proxy? any link for the same

Hi,
the readme has a typo of the word protocol, however it is spelt "protofol".
I tried to submit a PR to change this, however the branch permissions did not let me.
thanks