peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

openid: Check for role when authenticating

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-10-28 22:00:29 +02:00
parent 09e3ef237b
commit 2a7af4e910
1 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
hosts/architect/openid.nix
View File

@ -1,15 +1,18 @@
{ lib }:
{ {
openresty_oidc_block = { realm, client_id, client_secret, redirect_uri }: '' openresty_oidc_block =
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
access_by_lua_block { access_by_lua_block {
local opts = { local opts = {
redirect_uri_path = "/redirect_uri",
accept_none_alg = true,
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration", discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}", client_id = "${client_id}",
client_secret = "${client_secret}", client_secret = "${client_secret}",
logout_path = "/logout", logout_path = "/logout",
redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}", redirect_after_logout_uri = "/",
redirect_after_logout_with_id_token_hint = false, redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
} }
-- call introspect for OAuth 2.0 Bearer Access Token validation -- call introspect for OAuth 2.0 Bearer Access Token validation
@ -20,6 +23,15 @@
ngx.say(err) ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN) ngx.exit(ngx.HTTP_FORBIDDEN)
end end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
} }
''; '';
} }