resty | Simple HTTP and REST client library for Go | HTTP library

I found the solution but I did not the root cause of problem:

I changed my Nginx-Lua image from danday74/nginx-lua to fabiocicerchia/nginx-lua, and It worked like a charm. the first one was created on Nginx version 1.16 and the last one was created by Nginx 1.19.

You should ffi.load your .so library before using functions from it.

I had to check the lua source code, but I think I have figured the logout behaviour out: Lua-resty-openidc establishes sessions, and they are terminated when a specific url access is detected (it is controlled by opts.logout_path which we will need to be set to an address in the path of service, e.g. .../service/logout)

In essence, there are two urls that need to be hit, one for keycloack logout, and one for openresty session logout. Accessing the keycloack logout url https:///auth/realms//protocol/openid-connect/logout is done by lua after we access the opts.logout_path at https:///service/logout

So after setting up everything correctly, all we have to do to logout is hit https:///service/logout. This will destroy the session and log us out.

I think we need to set opts.revoke_tokens_on_logout to true, Also note that from my experiments, for some reason, setting up a redirect_after_logout_uri may result in the user not signing out due to redirections.

Here is an example of what we need to have for nginx.conf to make this work....

no resolver defined to resolve "www.google.de"

You need to configure the resolver:

https://github.com/openresty/lua-nginx-module#tcpsockconnect

In case of domain names, this method will use Nginx core's dynamic resolver to parse the domain name without blocking and it is required to configure the resolver directive in the nginx.conf file like this:

There are two errors in your code.

1. It is not possible to pass the cosocket object between Lua handlers (emphasis added by me):

   The cosocket object created by this API function has exactly the same lifetime as the Lua handler creating it. So never pass the cosocket object to any other Lua handler (including ngx.timer callback functions) and never share the cosocket object between different Nginx requests.

   https://github.com/openresty/lua-nginx-module#ngxsockettcp

   In your case, the reference to the cosocket object is stored in the client table (client._sock).

2. ngx.print/ngx.say are not available in the ngx.timer.* context.

   https://github.com/openresty/lua-nginx-module#ngxsay (check the context: section).

   You can use ngx.log instead (it writes to nginx log, set error_log stderr debug; in nginx.conf to print logs to stderr).

The following code works as expected:

You need to add a Content-Type. This should work:

OpenResty run Lua hooks in a sandbox, so one cannot use global variables to share data.

You shall use Data Sharing within an Nginx Worker It is usual practice to cache anything on Lua module level, possibly with some reasonable expiration period if data stored in Redis may be changed.

BTW - don't use XXX_by_lua directives - you should take care about nginx escaping rules, use XXX_by_lua_block.

Additional example:

I just found answer here:

lua_ssl_protocols TLSv1.2 TLSv1.3;

I finally ended with creating a new method in openidc.lua, which apparently contains all necessary stuff to call jwt.lua. Not sure what's missing from calling it directly from nginx.tmpl though.