feat(openid-connect): update session config to support lua-resty-session, fixes deprecated session.cookie.lifetime#13178
Conversation
4.x Replace the deprecated `session.cookie.lifetime` property with the full set of lua-resty-session 4.x configuration options: cookie settings (cookie_name, cookie_path, cookie_domain, cookie_same_site, etc.), timeout controls (idling_timeout, rolling_timeout, absolute_timeout), remember/persistent session support, and additional options like audience, hash_storage_key, and store_metadata. BREAKING CHANGE: `session.cookie.lifetime` has been removed. Use `idling_timeout`, `rolling_timeout`, and `absolute_timeout` instead.
dosubot
bot
added
size:XL
|
Hi @francescodedomenico, thank you for your contribution, but we need to evaluate whether it’s necessary to expose all the underlying library’s configurations. I’ll discuss this with the other maintainers. I look forward to hearing others’ thoughts. |
idling_timeout, updated plugin configuration in openid-connect.t to reflect new config schema
|
I would like to chip into this discussion. Prior to lua-resty-session 4.x we could use the nginx variables to setup the various features from lua-resty-session which were not exposed directly through openid-connect plugin in Apisix. After 4.x version, due to dependency chain of openid-connect apisix plugin -> lua-resty-openidc -> lua-resty-session it is only possible to configure those features by configuration which is sent from openid-connect plugin. Effectively, the limited schema capabilities are now blocking us from using the features that exist in lua-resty-session. lua-resty-session supports Redis with sentinel configuration -> https://github.com/bungle/lua-resty-session/blob/master/README.md#redis-sentinels-configuration I have tried to play around with it for a bit, and I've managed to create custom docker image from apisix:3.16.0 with lua-resty-redis-connector installed, adjusted the schema for openid-connect to support sentinel properties and were able to successfully connect to Redis sentinel. The setup is still being tested but so far looks good. |
|
Hi @francescodedomenico, another issue with the current PR is that the |
|
hello @Baoyuantop
I did add a migration note in the PR, the closest valid alternative for session.cookie.lifetime is the absolute_timeout parameter (gathered from the lifetime description of the 3.10 resty session). I think it would be more maintainable if we continue to support 1:1 mapping rather than keeping a deprecated parameter and to map it internally. However if you tell me where I am supposed to also add the migration notes I will add them in a docs: commit.
I do agree that many parameters could be added in an session.cookie.additionalProperties field and describe the field as being mapped against the resty session configuration. However I would like to suggest to at least expose the:
These two are a game changer for the user, we can have multiple oidc sessions, avoid "session" cookie conflict and have specific sessions being forwarded only to specific cookie-path. Let me know, thank you. Edit: fixed my answers being inglobated in quotes |
3 participants
Description
APISIX bundles
lua-resty-session 4.1.5, but theopenid-connectplugin's session schema still exposed the legacysession.cookie.lifetimeproperty from the 3.x API. Sincelua-resty-openidcpasses the session configuration as-is toresty.session.start(), only properties recognized by the 4.x library actually take effect.This PR removes the deprecated
session.cookie.lifetimeand replaces it with the full set of flat configuration keys thatlua-resty-session4.x supports.Why does it matter
With this update we have full control of the oidc sticky session, allowing apisix users to
New session properties
cookie_name,cookie_prefix,cookie_path,cookie_domain,cookie_http_only,cookie_secure,cookie_priority,cookie_same_site,cookie_same_party,cookie_partitionedidling_timeout(default 900s),rolling_timeout(default 3600s),absolute_timeout(default 86400s)remember,remember_cookie_name,remember_rolling_timeout,remember_absolute_timeout,remember_safetyaudience,subject,enforce_same_subject,stale_ttl,touch_threshold,compression_threshold,hash_storage_key,hash_subject,store_metadataMigration from
session.cookie.lifetimeThe old
session.cookie.lifetime(default 3600s) mapped loosely to a single cookie expiry. Inlua-resty-session4.x this is replaced by three independent timeouts that give much finer-grained control:session.cookie.lifetimeidling_timeout— invalidate after inactivityrolling_timeout— force renewal after durationabsolute_timeout— hard session max lifetimeBreaking change
Please note that even if I am mentioning this as a breaking change, the
session.cookie.lifetimeis already ignored by the resty.session plugin in APISIX main branch and 3.15 release, possibly happening on older versions as wellsession.cookie.lifetimeis no longer accepted. Existing configurations using this property will be rejected by schema validation (additionalProperties = false). Users should migrate toidling_timeout,rolling_timeout, and/orabsolute_timeout.Files changed
apisix/plugins/openid-connect.lua— replaced session schema withlua-resty-session4.x propertiesdocs/en/latest/plugins/openid-connect.md— updated English documentationdocs/zh/latest/plugins/openid-connect.md— updated Chinese documentationt/plugin/openid-connect10.t— 14 new schema validation tests covering valid configs, invalid enum/type values, deprecated property rejection, and unknown property rejectionWhich issue(s) this PR fixes:
Fixes #13177
Checklist