mirror of
https://github.com/xiaoxinpro/nginx-proxy-manager-zh.git
synced 2025-02-02 09:48:13 -05:00
47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
{% if openidc_enabled == 1 or openidc_enabled == true -%}
|
|
access_by_lua_block {
|
|
local openidc = require("resty.openidc")
|
|
local opts = {
|
|
redirect_uri = "{{- openidc_redirect_uri -}}",
|
|
discovery = "{{- openidc_discovery -}}",
|
|
token_endpoint_auth_method = "{{- openidc_auth_method -}}",
|
|
client_id = "{{- openidc_client_id -}}",
|
|
client_secret = "{{- openidc_client_secret -}}",
|
|
scope = "openid email profile"
|
|
}
|
|
|
|
local res, err = openidc.authenticate(opts)
|
|
|
|
if err then
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
|
|
end
|
|
|
|
{% if openidc_restrict_users_enabled == 1 or openidc_restrict_users_enabled == true -%}
|
|
local function contains(table, val)
|
|
for i=1,#table do
|
|
if table[i] == val then
|
|
return true
|
|
end
|
|
end
|
|
return false
|
|
end
|
|
|
|
local allowed_users = {
|
|
{% for user in openidc_allowed_users %}
|
|
"{{ user }}",
|
|
{% endfor %}
|
|
}
|
|
|
|
if not contains(allowed_users, res.id_token.email) then
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
end
|
|
{% endif -%}
|
|
|
|
|
|
ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
|
|
ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
|
|
ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
|
|
}
|
|
{% endif %} |