{ lib }: { openresty_oidc_block = { access_role ? "", whitelisted_ips ? [ ] }: '' access_by_lua_block { local opts = { discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", client_id = "nginx", client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", logout_path = "/logout", redirect_after_logout_uri = "/", redirect_uri = "/redirect_uri", keepalive = "yes", accept_none_alg = true, revoke_tokens_on_logout = true, -- access token valid for a day access_token_expires_in = 86400 } ${lib.optionalString (whitelisted_ips != []) '' local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then return end ''} -- call introspect for OAuth 2.0 Bearer Access Token validation local res, err = require("resty.openidc").authenticate(opts) if err then ngx.status = 403 ngx.say(err) ngx.exit(ngx.HTTP_FORBIDDEN) end ${lib.optionalString (access_role != "") '' if not check_role(res, "${access_role}") then ngx.status = 401 ngx.header.content_type = 'text/html'; ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") ngx.exit(ngx.HTTP_UNAUTHORIZED) end ''} } ''; }