I have seen this error logged to stage and prod lately for some of our plugins code leveraging the singletons cache, specifically happens when our OIDC provider throws a 401 when validating an access_token:
2018/11/27 16:02:01 [warn] 36#0: *26768119 [lua] mlcache.lua:780: get(): callback returned an error (response indicates failure, status=401, body=<!DOCTYPE html>
<!-- template name: http.error.page.template.html -->
<html lang="en" dir="ltr">
<head>
<title>Error</title>
<base href="https://pingidentity.company.com/ " />
<meta name="robots" content="noindex, nofollow" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<meta http-equiv="x-ua-compatible" content="IE=edge" />
<link rel="stylesheet" type="text/css" href="assets/css/main.css" />
</head>
<body>
<div class="ping-container">
<!--
if there is a logo present in the 'company-logo' container,
then 'has-logo' class should be added to 'ping-header' container.
-->
<div class="ping-header">
<span class="company-logo"><!-- client company logo here --></span>
Error
</div><!-- .ping-header -->
<div class="ping-body-container">
<div class="section-title">
Oops
</div>
<div class="ping-messages ping-nopad">
<div>
Looks like something is not right. Please contact your administrator.
</div>
<div class="ping-note-text">
401 - Unauthorized
</div>
</div>
</div> <!-- .ping-body-container -->
<div class="ping-footer-container">
<div class="ping-footer">
<div class="ping-credits"></div>
<div class="ping-copyright">Copyright © 2003-2017. Ping Identity Corporation. All rights reserved.</div>
</div> <!-- .ping-footer -->
</div> <!-- .ping-footer-container -->
</div> <!-- .ping-container -->
</body>
</html>
) but stale value found in shm will be resurrected for 30s (resurrect_ttl), client: **.***.*.***, server: kong, request: "POST /api/service/v1.0 HTTP/1.1", host: "gateway.company.com", referrer: "https://somewebsite.com "
Now my code looks like this:
-- call the userInfo endpoint with access_token
local json, err = singletons.cache:get(access_token, { ttl = 1800 }, openidc_call_userinfo_endpoint, opts, access_token)
return json, err
And callback logic like so:
-- make a call to the userinfo endpoint
local function openidc_call_userinfo_endpoint(opts, access_token)
if not opts.discovery.userinfo_endpoint then
ngx.log(ngx.DEBUG, "no userinfo endpoint supplied")
return nil, nil
end
local headers = {
["Authorization"] = "Bearer "..access_token,
}
ngx.log(ngx.DEBUG,"authorization header '"..headers.Authorization.."'")
local httpc = http.new()
openidc_configure_timeouts(httpc, opts.timeout)
openidc_configure_proxy(httpc, opts.proxy_opts)
local res, err = httpc:request_uri(opts.discovery.userinfo_endpoint, {
headers = headers,
ssl_verify = (opts.ssl_verify ~= "no")
})
if not res then
err = "accessing ("..opts.discovery.userinfo_endpoint..") failed: "..err
return nil, err
end
ngx.log(ngx.DEBUG, "userinfo response: ", res.body)
-- parse the response from the user info endpoint
return openidc_parse_json_response(res)
end
And lastly the openidc_parse_json_response() method:
-- parse the JSON result from a call to the OP
local function openidc_parse_json_response(response)
local err
local res
-- check the response from the OP
if response.status ~= 200 then
err = "response indicates failure, status="..response.status..", body="..response.body
else
-- decode the response and extract the JSON object
res = cjson_s.decode(response.body)
if not res then
err = "JSON decoding failed"
end
end
return res, err
end
So in my case underlying method is populating res with the response from user validation check html error blob and err is populated as well when 401 unauthorized occurs from oidc validation endpoint, so does that mean mlcache is storing this response and I am leveraging it incorrectly? Ideally I would like these giant error logs to go away in my Kong std out and I certainly don’t want the singletons cache holding this dumb body of html error text if its doing so. I don’t believe the error to be anything critical of sorts as our OIDC proxies work fine from client perspective, but this error log on the 401’s is bugging me . I made sure to avoid doing things like ngx.exit() or returning responses from the callback methods itself(ngx.say() ) as I was instructed in the past .