bug: the `session` cookie field generated by OpenID Connect cannot be modified.

[amberlipp]

Current Behavior

After successful OpenID Connect authentication, the generated cookie field is session and cannot be modified. If the cookie field of the business system is also session, the latter will overwrite the OIDC cookie session.

Expected Behavior

Add a name configuration parameter to schema.session of the OpenID Connect plugin to support customizing the cookie field name.
example as fllow:
session = {
type = "object",
properties = {
name = {
type = "string",
description = "session name",
default = "OIDC_SESSION",
},
secret = {
type = "string",
description = "the key used for the encrypt and HMAC calculation",
minLength = 16,
},

Error Logs

No response

Steps to Reproduce

1. The cookie field generated by the business system is set to session.
2. Deploy APISIX to connect to a certain authentication source.
3. APISIX uses the header identity passthrough method when connecting to the business system.
4. After successful APISIX SSO authentication, a cookie with the field session is generated, and requests to the business system are forwarded normally.
5. If the business system response sets a cookie with the same field session, it will overwrite the session cookie generated by APISIX.

Environment

• APISIX version (run apisix version): 3.14
• Operating system (run uname -a): Linux localhost.localdomain 5.10.134-13.an8.x86_64 change: added doc of how to load plugin. #1 SMP Mon Jan 9 10:39:46 CST 2023 x86_64 x86_64 x86_64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.27.1.2
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[amberlipp]

Problem Description
The business system sets a cookie with the key session.
APISIX is deployed and integrated with an OIDC identity provider.
APISIX passes the authenticated identity to the backend business system via request headers.
After successful APISIX SSO (OIDC) authentication, APISIX also generates a cookie named session.
When the backend business system responds, it sets its own session cookie, which overwrites the session cookie created by APISIX.
Root Cause
The APISIX OpenID Connect plugin currently uses a fixed cookie name session and does not support customizing the cookie name via configuration.
When the backend application also uses a cookie named session, the two cookies conflict and overwrite each other, causing login state loss or SSO failure.
Suggestion
Add a configurable name field under session in the OIDC plugin schema, so users can customize the cookie name (e.g., apisix_session, oidc_session) to avoid conflict with the backend business system’s session cookie.

[Baoyuantop]

Hi, thank you for the detailed report.

After reviewing the plugin source code, we can confirm that the session configuration object currently only exposes secret, cookie.lifetime, storage, and redis options. There is no name parameter to customize the session cookie name. The underlying lua-resty-openidc library defaults to using session as the cookie name, and APISIX provides no way to override this. We welcome a PR to implement this enhancement.

[francescodedomenico]

Hello @Baoyuantop and @amberlipp -> In my projects I have been in the need to customize sessions for two distings subpaths, lua-resty-openidc gives the possibility to fully take advantage of https://github.com/bungle/lua-resty-session - however I noticed that the cookie.lifetime parameter is ignored by resty.session since it has been deprecated in session 4.x.

I have opened a bug #13177 for this and opened a pull request.

@amberlipp meanwhile the PR #13178 gets worked out you can download the openid-connect.lua file from my repository and mount it in an apisix container eg:

./openid-connect.lua:/usr/local/apisix/apisix/plugins/openid-connect.lua

Hope this helps

edit: added PR link