nginx, openid: Allow IP whitelist to bypass OpenID auth

This commit is contained in:
Giulio De Pasquale 2022-11-29 14:53:17 +01:00
parent ae4c55fdee
commit 30fd214734
2 changed files with 35 additions and 17 deletions

View File

@ -68,6 +68,16 @@ in {
return false
end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
return false
end
}
'';

View File

@ -2,7 +2,7 @@
{
openresty_oidc_block =
{ access_role ? "" }: ''
{ access_role ? "", whitelisted_ips ? [] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -18,6 +18,14 @@
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)