41 lines
1.2 KiB
Nix
41 lines
1.2 KiB
Nix
{ lib }:
|
|
|
|
{
|
|
openresty_oidc_block =
|
|
{ access_role ? "" }: ''
|
|
access_by_lua_block {
|
|
local opts = {
|
|
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
|
client_id = "nginx",
|
|
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
|
|
logout_path = "/logout",
|
|
redirect_after_logout_uri = "/",
|
|
redirect_uri = "/redirect_uri",
|
|
keepalive = "yes",
|
|
accept_none_alg = true,
|
|
revoke_tokens_on_logout = true,
|
|
-- access token valid for a day
|
|
access_token_expires_in = 86400
|
|
}
|
|
|
|
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
|
local res, err = require("resty.openidc").authenticate(opts)
|
|
|
|
if err then
|
|
ngx.status = 403
|
|
ngx.say(err)
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
end
|
|
|
|
${lib.optionalString (access_role != "") ''
|
|
if not check_role(res, "${access_role}") then
|
|
ngx.status = 401
|
|
ngx.header.content_type = 'text/html';
|
|
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
|
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
|
end
|
|
''}
|
|
}
|
|
'';
|
|
}
|