2022-10-28 21:00:29 +01:00
|
|
|
{ lib }:
|
|
|
|
|
|
2022-10-28 13:43:55 +01:00
|
|
|
{
|
2022-10-28 21:00:29 +01:00
|
|
|
openresty_oidc_block =
|
|
|
|
|
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
|
|
|
|
|
access_by_lua_block {
|
|
|
|
|
local opts = {
|
|
|
|
|
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
|
|
|
|
|
client_id = "${client_id}",
|
|
|
|
|
client_secret = "${client_secret}",
|
|
|
|
|
logout_path = "/logout",
|
|
|
|
|
redirect_after_logout_uri = "/",
|
|
|
|
|
redirect_uri = "/redirect_uri",
|
|
|
|
|
keepalive = "yes",
|
|
|
|
|
accept_none_alg = true
|
|
|
|
|
}
|
2022-10-28 13:43:55 +01:00
|
|
|
|
|
|
|
|
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
|
|
|
|
local res, err = require("resty.openidc").authenticate(opts)
|
|
|
|
|
|
|
|
|
|
if err then
|
|
|
|
|
ngx.status = 403
|
|
|
|
|
ngx.say(err)
|
|
|
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
|
|
|
end
|
2022-10-28 21:00:29 +01:00
|
|
|
|
|
|
|
|
${lib.optionalString (access_role != "") ''
|
|
|
|
|
if not check_role(res, "${access_role}") then
|
|
|
|
|
ngx.status = 401
|
|
|
|
|
ngx.header.content_type = 'text/html';
|
|
|
|
|
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
|
|
|
|
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
|
|
|
|
end
|
|
|
|
|
''}
|
|
|
|
|
}
|
|
|
|
|
'';
|
2022-10-28 13:43:55 +01:00
|
|
|
}
|
