shreemaan-abhishek commented on issue #13440: URL: https://github.com/apache/apisix/issues/13440#issuecomment-4601634727
Thanks for the debug log @ronnybremer, that pinned it down. Confirmed: this is a real bug. It is not in `response-rewrite` or in the plugin logic. The array gets lost during the session cookie round trip. ### How the bug occurs, step by step 1. Your IDP returns `"roles": []`. 2. `lua-resty-openidc` decodes this JSON into a Lua table. APISIX configures the JSON library to put a special "this is an array" tag on decoded arrays ([`core/json.lua:35`](https://github.com/apache/apisix/blob/release/3.16/apisix/core/json.lua#L35)). So at this point `roles` is an empty table tagged as an array. This is why your debug log still shows `[]`. 3. The user object is saved into your session cookie. The tag survives, the cookie still contains `"roles":[]`. 4. On the next request, `lua-resty-session` decodes the cookie back into a Lua table. Problem: it uses its **own private copy** of the JSON library ([`utils.lua:248`](https://github.com/bungle/lua-resty-session/blob/v4.1.5/lib/resty/session/utils.lua#L248)), and that copy does **not** apply the array tag. So `roles` comes back as a plain empty table. 5. Here is the core issue: in Lua, an empty array and an empty object are the exact same thing, an empty table `{}`. The only way to tell them apart is that tag, and step 4 just dropped it. 6. The plugin now encodes this untagged empty table into the `X-Userinfo` header ([`openid-connect.lua:804`](https://github.com/apache/apisix/blob/release/3.16/apisix/plugins/openid-connect.lua#L804)). The JSON encoder has to guess, and its default for an empty table is object. So you get `"roles":{}`. ### Impact - Only **empty** arrays break. Non-empty arrays like `["admin"]` have contents that make them recognizable as arrays, so they are fine. - Happens with any session storage (cookie, Redis, shm), they all use the same serializer. - `X-ID-Token` claims are affected the same way. ### Fix and workarounds The proper fix is in `lua-resty-session`: its JSON decoder should tag arrays too. We will raise this upstream and bump the dependency once fixed. Until then: - Treat `{}` and `[]` both as "empty" in your client/upstream code. - Or configure the IDP to omit empty array claims. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
