nginx, openid: Allow IP whitelist to bypass OpenID auth
This commit is contained in:
parent
ae4c55fdee
commit
30fd214734
@ -68,6 +68,16 @@ in {
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
function is_ip_whitelisted(ip, whitelist)
|
||||
for _, x in ipairs(whitelist) do
|
||||
if ip == x then
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
}
|
||||
'';
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
{
|
||||
openresty_oidc_block =
|
||||
{ access_role ? "" }: ''
|
||||
{ access_role ? "", whitelisted_ips ? [] }: ''
|
||||
access_by_lua_block {
|
||||
local opts = {
|
||||
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
||||
@ -18,6 +18,14 @@
|
||||
access_token_expires_in = 86400
|
||||
}
|
||||
|
||||
${lib.optionalString (whitelisted_ips != []) ''
|
||||
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
|
||||
|
||||
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
|
||||
return
|
||||
end
|
||||
''}
|
||||
|
||||
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
||||
local res, err = require("resty.openidc").authenticate(opts)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user