diff --git a/openid_connect.js b/openid_connect.js index 54c395d..4ec46ba 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -7,7 +7,30 @@ var newSession = false; // Used by oidcAuth() and validateIdToken() export default {auth, codeExchange, validateIdToken, logout}; -function auth(r) { +function retryOriginalRequest(r) { + delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt + r.internalRedirect(r.variables.uri + r.variables.is_args + (r.variables.args || '')); +} + +// If the ID token has not been synced yet, poll the variable every 100ms until +// get a value or after a timeout. +function waitForSessionSync(r, timeLeft) { + if (r.variables.session_jwt) { + retryOriginalRequest(r); + } else if (timeLeft > 0) { + setTimeout(waitForSessionSync, 100, r, timeLeft - 100); + } else { + auth(r, true); + } +} + +function auth(r, afterSyncCheck) { + // If a cookie was sent but the ID token is not in the key-value database, wait for the token to be in sync. + if (r.variables.cookie_auth_token && !r.variables.session_jwt && !afterSyncCheck && r.variables.zone_sync_leeway > 0) { + waitForSessionSync(r, r.variables.zone_sync_leeway); + return; + } + if (!r.variables.refresh_token || r.variables.refresh_token == "-") { newSession = true; @@ -88,8 +111,7 @@ function auth(r) { r.variables.refresh_token = tokenset.refresh_token; // Update key-value store } - delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt - r.internalRedirect(r.variables.request_uri); // Continue processing original request + retryOriginalRequest(r); // Continue processing original request } ); } catch (e) { diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index 753832c..f5668ee 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -43,6 +43,16 @@ map $host $oidc_hmac_key { default "ChangeMe"; } +map $host $zone_sync_leeway { + # Specifies the maximum timeout for synchronizing ID tokens between cluster + # nodes when you use shared memory zone content sync. This option is only + # recommended for scenarios where cluster nodes can randomly process + # requests from user agents and there may be a situation where node "A" + # successfully received a token, and node "B" receives the next request in + # less than zone_sync_interval. + default 0; # Time in milliseconds, e.g. (zone_sync_interval * 2 * 1000) +} + map $proto $oidc_cookie_flags { http "Path=/; SameSite=lax;"; # For HTTP/plaintext testing https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation