openid: Check for role when authenticating

2022-10-28 22:00:29 +02:00 · 2022-10-28 22:00:29 +02:00 · 2a7af4e910
commit 2a7af4e910
parent 09e3ef237b
1 changed files with 26 additions and 14 deletions
--- a/hosts/architect/openid.nix
+++ b/hosts/architect/openid.nix
@ -1,15 +1,18 @@
+{ lib }:
+
 {
-  openresty_oidc_block = { realm, client_id, client_secret, redirect_uri }: ''
+  openresty_oidc_block =
+    { realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
      access_by_lua_block {
        local opts = {
-        redirect_uri_path = "/redirect_uri",
-        accept_none_alg = true,
          discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
          client_id = "${client_id}",
          client_secret = "${client_secret}",
          logout_path = "/logout",
-        redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
-        redirect_after_logout_with_id_token_hint = false,
+          redirect_after_logout_uri = "/",
+          redirect_uri = "/redirect_uri",
+          keepalive = "yes",
+          accept_none_alg = true
      }

      -- call introspect for OAuth 2.0 Bearer Access Token validation
@ -20,6 +23,15 @@
        ngx.say(err)
        ngx.exit(ngx.HTTP_FORBIDDEN)
      end
+
+      ${lib.optionalString (access_role != "") ''
+        if not check_role(res, "${access_role}") then
+          ngx.status = 401
+          ngx.header.content_type = 'text/html';
+          ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
+          ngx.exit(ngx.HTTP_UNAUTHORIZED)
+        end
+      ''}
      }
    '';
 }