0
votes

I am trying to configure lua-resty-openidc with an OpenResty NGINX server. Using the authentication for a website.

Does anybody know, if I can let the session end or force the client to refresh the token?

I tested by ending a session within the authentication system Keycloak, nothing happens and the user has still access, stays on the website, and doesn't need to reauthenticate.

access_by_lua '
    local opts = {          
            redirect_uri = "https://domain/redirect_uri",
            accept_none_alg = true,
            discovery = "https://a.domain/auth/realms/realm/.well-known/openid-configuration",
            client_id = "CLIENT",
            client_secret = "SEEECREET",
            redirect_uri_scheme = "https",
            logout_path = "/logout",
            redirect_after_logout_uri = "https://a.domain/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=https://www.domain",
            redirect_after_logout_with_id_token_hint = false,
            session_contents = {id_token=true},
            access_token_expires_in = 3600,
            renew_access_token_on_expiry = true 
        }
        -- call introspect for OAuth 2.0 Bearer Access Token validation                         
        local oidc = require("resty.openidc")
        local res, err = oidc.authenticate(opts)

        -- deal with err not being nil
        if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end
        
        
        if  (res.id_token.roles == nil or res.id_token.roles == "") then
            ngx.log(ngx.INFO, "No Roles, therefore denied access to " .. res.id_token.preferred_username)   
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        
        
        if not string.find(res.id_token.roles, "searchRole") then   
            ngx.log(ngx.INFO, "Denied acces to " .. res.id_token.preferred_username)                    
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end         

  ';
When you say authorization I thing you really mean authentication no? - dreamcrash
Yes thank you, updated the question :-) - Airwave