I am trying to configure lua-resty-openidc with an OpenResty NGINX server. Using the authentication for a website.
Does anybody know, if I can let the session end or force the client to refresh the token?
I tested by ending a session within the authentication system Keycloak, nothing happens and the user has still access, stays on the website, and doesn't need to reauthenticate.
access_by_lua '
local opts = {
redirect_uri = "https://domain/redirect_uri",
accept_none_alg = true,
discovery = "https://a.domain/auth/realms/realm/.well-known/openid-configuration",
client_id = "CLIENT",
client_secret = "SEEECREET",
redirect_uri_scheme = "https",
logout_path = "/logout",
redirect_after_logout_uri = "https://a.domain/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=https://www.domain",
redirect_after_logout_with_id_token_hint = false,
session_contents = {id_token=true},
access_token_expires_in = 3600,
renew_access_token_on_expiry = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local oidc = require("resty.openidc")
local res, err = oidc.authenticate(opts)
-- deal with err not being nil
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
if (res.id_token.roles == nil or res.id_token.roles == "") then
ngx.log(ngx.INFO, "No Roles, therefore denied access to " .. res.id_token.preferred_username)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
if not string.find(res.id_token.roles, "searchRole") then
ngx.log(ngx.INFO, "Denied acces to " .. res.id_token.preferred_username)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';