Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

frontchannel logout with firefox not working #30

Open
daverck opened this issue Jan 23, 2023 · 0 comments
Open

frontchannel logout with firefox not working #30

daverck opened this issue Jan 23, 2023 · 0 comments

Comments

@daverck
Copy link

daverck commented Jan 23, 2023

Hello,

It seems frontchannel logout with firefox doesn't remove all session info.

After the first logout from the web app, every login attempt end up with a kong error page.
If I remove all cookies or use a private window then login works fine.
The keycloak session is removed
There is no issue with chrome/chromium.
I tried different version of firefox.
I compared cookies handling between firefox and chrome. I didn't notice any difference.

There is an error in kong log:
state from argument: .... does not match state restored from session
I tried hard-coding the session_secret (as advised in some lua-resty-openidc issue) but it didn't fix anything.

Did someone manage to have oidc working with firefox ?

(partial) deck yaml config: 

- hosts:
    - {{myhost}}
    name: myroute
    paths:
    - /
    - /logout
    plugins:
    - config:
        access_token_as_bearer: 'yes'
        access_token_header_name: Authorization
        bearer_only: 'no'
        client_id: myclientid
        client_secret: xxxxxxxxxx
        session_secret: xxxxxxxxxxx
        discovery: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
        introspection_endpoint: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect
        introspection_endpoint_auth_method: client_secret_post
        ssl_verify: 'no'
        realm: MY-APP
        logout_path: /logout
        revoke_tokens_on_logout: 'yes'
        redirect_after_logout_uri: https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout?post_logout_redirect_uri=https://{{myhost}}
        redirect_after_logout_with_id_token_hint: 'yes'
        response_type: code token
      name: oidc
    protocols:
    - https
    strip_path: false

keycloak client config: 

{
  "clientId": "myclient",
  "name": "",
  "description": "Client used by kong plugins oidc",
  "rootUrl": "",
  "adminUrl": "",
  "baseUrl": "https://{{myhost}}",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "xxxxxxxxxxxxxxxxx",
  "redirectUris": [
    "",
    "https://{{myauthhost}}/",
    "https://{{myauthhost}}",
    "https://{{myauthhost}}/*",
    "https://{{myhost}}",
    "https://{{myhost}}/",
    "https://{{myhost}}/*"
  ],
  "webOrigins": [
    "",
    "+"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": true,
  "authorizationServicesEnabled": true,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "openid-connect",
  "attributes": {
    "login_theme": "my-app",
    "frontchannel.logout.url": "https://{{myhost}}/logout",
    "post.logout.redirect.uris": "+",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false",
    "use.refresh.tokens": "false",
    "exclude.session.state.from.auth.response": "false",
    "tls-client-certificate-bound-access-tokens": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "false",
    "client_credentials.use_refresh_token": "false",
    "acr.loa.map": "{}",
    "require.pushed.authorization.requests": "false",
    "display.on.consent.screen": "false",
    "token.response.type.bearer.lower-case": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "name": "Client IP Address",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientAddress",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientAddress",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client Host",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientHost",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientHost",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client ID",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientId",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientId",
        "jsonType.label": "String"
      }
    }
  ],
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "roles",
    "profile",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

kong log for first logout with firefox 

2023/01/23 16:22:49 [debug] 515215#0: *13338495 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515215#0: *13338639 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:54 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:54 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] session.lua:632: start(): session is already started
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb-cc-dd-ee&client_id=client_id&token_type_hint=access_token&client_secret=myclientsecret
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response: 
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:55 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:640: start(): session not present
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] session.lua:646: start(): session created
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:56 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /service-worker.js
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:630: start(): session.start
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:584: open(): session.open
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] session.lua:611: open(): cookie found
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1449: authenticate(): session.present=true, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515221#0: *13336351 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:22:57 [debug] 515222#0: *13336346 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:22:59 [debug] 515215#0: *13338783 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787

kong log for logout with chromium 

2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session_2
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:611: open(): cookie found
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1421: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1234: openidc_logout(): openidc logout
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:632: start(): session is already started
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1247: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens...
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:460: call_token_endpoint(): client_secret_post: client_id and client_secret being sent in POST body
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:508: call_token_endpoint(): request body for revocation endpoint call: token=xxx.yyy.zzz-aa-bb&token_type_hint=access_token&client_id={{myclient}}&client_secret={{my_client_secret}}
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:526: call_token_endpoint(): revocation endpoint response: 
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1221: openidc_revoke_token(): revocation of access_token successful
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] handler.lua:89: make_oidc(): OidcHandler calling authenticate, requested path: /
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:630: start(): session.start
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:584: open(): session.open
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:262: get_cookie(): cookie name: cookie_session
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:623: open(): cookie not found => regenerate
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:640: start(): session not present
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] session.lua:646: start(): session created
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:1449: authenticate(): session.present=nil, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:553: openidc_discover(): openidc_discover: URL is: https://{{myauthhost}}/realms/MY-APP/.well-known/openid-configuration
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:559: openidc_discover(): discovery data not in cache, making call to discovery endpoint
2023/01/23 16:03:47 [debug] 515221#0: *13305291 [lua] openidc.lua:427: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:47 [debug] 515218#0: *13305464 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:572: openidc_discover(): response data: {"issuer":"https://{{myauthhost}}/realms/MY-APP","authorization_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/auth","token_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token","introspection_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/userinfo","end_session_endpoint":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/certs","check_session_iframe":"https://{{myauthhost}}/realms/MY-APP/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:token-exchange"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://{{myauthhost}}/realms/MY-APP/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","roles","acr","phone","offline_access","address","microprofile-jwt","email","profile","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_sup
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 1 => private_key_jwt
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 2 => client_secret_basic
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:658: openidc_get_token_auth_method(): 3 => client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:660: openidc_get_token_auth_method(): configured value for token_endpoint_auth_method (client_secret_post) found in token_endpoint_auth_methods_supported in metadata
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:688: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] openidc.lua:1480: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1006: balancer(): setting address (try 1): xxx.xxx.xxx.xxx:xxx
2023/01/23 16:03:48 [debug] 515221#0: *13305291 [lua] init.lua:1035: balancer(): enabled connection keepalive (pool=xxx.xxx.xxx.xxx|xxx|{{myauthhost}}, pool_size=60, idle_timeout=60, max_requests=100)

2023/01/23 16:03:48 [debug] 515220#0: *13305529 [lua] init.lua:288: [cluster_events] polling events from: 1674028682.787

kong_log_chromium_second_login.txt
kong_log_firefox_second_login.txt
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daverck