zhangyue0o0 opened a new issue, #13490:
URL: https://github.com/apache/apisix/issues/13490
### Current Behavior
When configuring the OpenID-Connect plugin in APISIX with Redis for session
storage,
the `session.cookie.lifetime` parameter is completely ignored. The Redis
session TTL
is always 3600 seconds, regardless of the configured lifetime value.
**Root Cause Analysis:**
The APISIX openid-connect plugin (line 799 in
apisix/plugins/openid-connect.lua)
passes `conf.session` directly to openidc.authenticate(), which in turn
passes it
to lua-resty-session. However:
1. User configuration uses: `session.cookie.lifetime`
2. lua-resty-session recognizes: `rolling_timeout`, `idling_timeout`,
`absolute_timeout`
3. The plugin never maps the user field to lua-resty-session's expected
fields
4. Without the mapping, lua-resty-session defaults to `rolling_timeout =
3600`
5. Redis session TTL is calculated from `rolling_timeout`, so it's always
3600 seconds
The user's lifetime configuration is silently ignored with no error messages.
### Expected Behavior
When `session.cookie.lifetime` is configured (e.g., 7200 seconds), the Redis
session TTL should match exactly this value. User sessions should expire
according
to the configured lifetime, not the hardcoded 3600-second default.
### Error Logs
No error logs. The issue is silent—sessions just expire unexpectedly after 1
hour
no matter what lifetime value is configured. The bug manifests as unexpected
session expiration during normal operation.
### Steps to Reproduce
1. Configure APISIX openid-connect plugin with Redis session storage and
custom lifetime:
Route Configuration:
{
"uri": "/protected",
"plugins": {
"openid-connect": {
"client_id": "test-client",
"client_secret": "secret",
"discovery":
"https://your-oidc-provider/.well-known/openid-configuration";,
"session": {
"secret": "your-secret-key-minimum-16-characters",
"cookie": {
"lifetime": 7200
},
"storage": "redis",
"redis": {
"host": "127.0.0.1",
"port": 6379
}
}
}
},
"upstream": {"nodes": {"httpbin.org:80": 1}, "type": "roundrobin"}
}
2. Authenticate a user through the APISIX OpenID-Connect flow
3. Extract the session key from the response cookie
4. Check Redis session TTL:
redis-cli TTL plugin-limit-count:<session-key>
5. **Expected Result**: TTL should be ~7200 seconds
**Actual Result**: TTL is always ~3600 seconds
### Environment
- APISIX version (run `apisix version`):
3.16.0 (tested, but issue exists in all versions with openid-connect
plugin)
- Operating system (run `uname -a`):
Linux (any Linux distribution)
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
openresty/1.27.1.2 or later
- etcd version, if relevant (run `curl
http://127.0.0.1:9090/v1/server_info`):
N/A (openid-connect doesn't require etcd for this operation)
- APISIX Dashboard version, if relevant:
N/A
- Plugin runner version, for issues related to plugin runners:
N/A
- LuaRocks version, for installation issues (run `luarocks --version`):
N/A
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
