{ lib }: { openresty_oidc_block = { realm, client_id, client_secret, redirect_uri, access_role ? "" }: '' access_by_lua_block { local opts = { discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration", client_id = "${client_id}", client_secret = "${client_secret}", logout_path = "/logout", redirect_after_logout_uri = "/", redirect_uri = "/redirect_uri", keepalive = "yes", accept_none_alg = true } -- call introspect for OAuth 2.0 Bearer Access Token validation local res, err = require("resty.openidc").authenticate(opts) if err then ngx.status = 403 ngx.say(err) ngx.exit(ngx.HTTP_FORBIDDEN) end ${lib.optionalString (access_role != "") '' if not check_role(res, "${access_role}") then ngx.status = 401 ngx.header.content_type = 'text/html'; ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") ngx.exit(ngx.HTTP_UNAUTHORIZED) end ''} } ''; }