Merge pull request #52 from route443/main

Fix: ZoneSync delays in some installations caused problems Fix: Double URL encoding in proxy upstream after internalRedirect

Author: route443

openid_connect.js

@@ -7,7 +7,30 @@ var newSession = false; // Used by oidcAuth() and validateIdToken()
 
 export default {auth, codeExchange, validateIdToken, logout};
 
-function auth(r) {
+function retryOriginalRequest(r) {
+ delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
+ r.internalRedirect(r.variables.uri + r.variables.is_args + (r.variables.args || ''));
+}
+
+// If the ID token has not been synced yet, poll the variable every 100ms until
+// get a value or after a timeout.
+function waitForSessionSync(r, timeLeft) {
+ if (r.variables.session_jwt) {
+ retryOriginalRequest(r);
+ } else if (timeLeft > 0) {
+ setTimeout(waitForSessionSync, 100, r, timeLeft - 100);
+ } else {
+ auth(r, true);
+ }
+}
+
+function auth(r, afterSyncCheck) {
+ // If a cookie was sent but the ID token is not in the key-value database, wait for the token to be in sync.
+ if (r.variables.cookie_auth_token && !r.variables.session_jwt && !afterSyncCheck && r.variables.zone_sync_leeway > 0) {
+ waitForSessionSync(r, r.variables.zone_sync_leeway);
+ return;
+ }
+
  if (!r.variables.refresh_token || r.variables.refresh_token == "-") {
  newSession = true;
 
@@ -88,8 +111,7 @@ function auth(r) {
  r.variables.refresh_token = tokenset.refresh_token; // Update key-value store
  }
 
- delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
- r.internalRedirect(r.variables.request_uri); // Continue processing original request
+ retryOriginalRequest(r); // Continue processing original request
  }
  );
  } catch (e) {

openid_connect_configuration.conf

@@ -43,6 +43,16 @@ map $host $oidc_hmac_key {
  default "ChangeMe";
 }
 
+map $host $zone_sync_leeway {
+ # Specifies the maximum timeout for synchronizing ID tokens between cluster
+ # nodes when you use shared memory zone content sync. This option is only
+ # recommended for scenarios where cluster nodes can randomly process
+ # requests from user agents and there may be a situation where node "A"
+ # successfully received a token, and node "B" receives the next request in
+ # less than zone_sync_interval.
+ default 0; # Time in milliseconds, e.g. (zone_sync_interval * 2 * 1000)
+}
+
 map $proto $oidc_cookie_flags {
  http "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
  https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation