-
-
Notifications
You must be signed in to change notification settings - Fork 248
Sample Configuration for Google Signin
Harold Simpson edited this page Jul 27, 2018
·
2 revisions
events {
worker_connections 128;
}
http {
lua_package_path '~/lua/?.lua;;';
resolver 8.8.8.8;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
# NB: if you have "lua_code_cache off;", use:
# set $session_secret xxxxxxxxxxxxxxxxxxx;
# see: https://github.com/bungle/lua-resty-session#notes-about-turning-lua-code-cache-off
server {
listen 8080;
location / {
access_by_lua_block {
local opts = {
-- the full redirect URI must be protected by this script and becomes:
-- ngx.var.scheme.."://"..ngx.var.http_host..opts.redirect_uri_path
-- unless the scheme is overridden using opts.redirect_uri_scheme or an X-Forwarded-Proto header in the incoming request
redirect_uri_path = "/redirect_uri",
discovery = "https://accounts.google.com/.well-known/openid-configuration",
client_id = "<client_id>",
client_secret = "<client_secret>"
--authorization_params = { hd="zmartzone.eu" },
--scope = "openid email profile",
-- Refresh the users id_token after 900 seconds without requiring re-authentication
--refresh_session_interval = 900,
--iat_slack = 600,
--redirect_uri_scheme = "https",
--logout_path = "/logout",
--redirect_after_logout_uri = "/",
-- Where should the user be redirected after logout from the RP. This option overides any end_session_endpoint that the OP may have provided in the discovery response.
--redirect_after_logout_with_id_token_hint = true,
-- Whether the redirection after logout should include the id token as an hint (if available). This option is used only if redirect_after_logout_uri is set.
--post_logout_redirect_uri = "https://www.zmartzone.eu/logoutSuccessful",
-- Where does the RP requests that the OP redirects the user after logout. If this option is set to a relative URI, it will be relative to the OP's logout endpoint, not the RP's.
--token_endpoint_auth_method = ["client_secret_basic"|"client_secret_post"],
--ssl_verify = "no"
--accept_none_alg = false
-- if your OpenID Connect Provider doesn't sign its id tokens
-- (uses the "none" signature algorithm) then set this to true.
--accept_unsupported_alg = true
-- if you want to reject tokens signed using an algorithm
-- not supported by lua-resty-jwt set this to false. If
-- you leave it unset or set it to true, the token signature will not be
-- verified when an unsupported algorithm is used.
--renew_access_token_on_expiry = true
-- whether this plugin shall try to silently renew the access token once it is expired if a refresh token is available.
-- if it fails to renew the token, the user will be redirected to the authorization endpoint.
--access_token_expires_in = 3600
-- Default lifetime in seconds of the access_token if no expires_in attribute is present in the token endpoint response.
--access_token_expires_leeway = 0
-- Expiration leeway for access_token renewal. If this is set, renewal will happen access_token_expires_leeway seconds before the token expiration. This avoids errors in case the access_token just expires when arriving to the OAuth Resource Server.
--force_reauthorize = false
-- When force_reauthorize is set to true the authorization flow will be executed even if a token has been cached already
--session_contents = {id_token=true}
-- Whitelist of session content to enable. This can be used to reduce the session size.
-- When not set everything will be included in the session.
-- Available are:
-- id_token, enc_id_token, user, access_token (includes refresh token)
-- You can specify timeouts for connect/send/read as a single number (setting all timeouts) or as a table. Values are in milliseconds
-- timeout = 1000
-- timeout = { connect = 500, send = 1000, read = 1000 }
-- Optional : use outgoing proxy to the OpenID Connect provider endpoints with the proxy_opts table :
-- this requires lua-resty-http >= 0.12
-- proxy_opts = {
-- http_proxy = "http://<proxy_host>:<proxy_port>/",
-- https_proxy = "http://<proxy_host>:<proxy_port>/"
-- }
}
-- call authenticate for OpenID Connect user authentication
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
-- at this point res is a Lua table with 3 keys:
-- id_token : a Lua table with the claims from the id_token (required)
-- access_token: the access token (optional)
-- user : a Lua table with the claims returned from the user info endpoint (optional)
--if res.id_token.hd ~= "zmartzone.eu" then
-- ngx.exit(ngx.HTTP_FORBIDDEN)
--end
--if res.user.email ~= "hans.zandbelt@zmartzone.eu" then
-- ngx.exit(ngx.HTTP_FORBIDDEN)
--end
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-USER", res.id_token.sub)
}
proxy_pass http://localhost:80;
}
}
}