2020-05-25 12:45:47 -04:00
|
|
|
{% if openidc_enabled -%}
|
|
|
|
|
access_by_lua_block {
|
|
|
|
|
local openidc = require("resty.openidc")
|
|
|
|
|
local opts = {
|
|
|
|
|
redirect_uri = "{{- openidc_redirect_uri -}}",
|
|
|
|
|
discovery = "{{- openidc_discovery -}}",
|
|
|
|
|
token_endpoint_auth_method = "{{- openidc_auth_method -}}",
|
|
|
|
|
client_id = "{{- openidc_client_id -}}",
|
|
|
|
|
client_secret = "{{- openidc_client_secret -}}",
|
|
|
|
|
scope = "openid email profile"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
local res, err = openidc.authenticate(opts)
|
|
|
|
|
|
|
|
|
|
if err then
|
|
|
|
|
ngx.status = 500
|
|
|
|
|
ngx.say(err)
|
|
|
|
|
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
|
|
|
|
|
end
|
|
|
|
|
|
2020-05-22 18:01:22 -04:00
|
|
|
{% if openidc_restrict_users_enabled -%}
|
|
|
|
|
local function contains(table, val)
|
|
|
|
|
for i=1,#table do
|
|
|
|
|
if table[i] == val then
|
|
|
|
|
return true
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local allowed_users = {
|
|
|
|
|
{% for user in openidc_allowed_users %}
|
|
|
|
|
"{{ user }}",
|
|
|
|
|
{% endfor %}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if not contains(allowed_users, res.id_token.email) then
|
|
|
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
|
|
|
end
|
|
|
|
|
{% endif -%}
|
|
|
|
|
|
2020-05-25 12:45:47 -04:00
|
|
|
|
|
|
|
|
ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
|
|
|
|
|
ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
|
|
|
|
|
ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
|
|
|
|
|
}
|
|
|
|
|
{% endif %}
|
