|
set $session_cipher none; # don't need to encrypt the session content, it's an opaque identifier |
|
set $session_storage shm; # use shared memory |
|
set $session_cookie_persistent on; # persist cookie between browser sessions |
|
set $session_cookie_renew 3600; # new cookie every hour |
|
set $session_cookie_lifetime 86400; # lifetime for persistent cookies |
|
set $session_name sess_auth; # name of the cookie to store the session identifier in |
|
|
|
set $session_shm_store sessions; # name of the dict to store sessions in |
|
# See https://github.com/bungle/lua-resty-session#shared-dictionary-storage-adapter for the following options |
|
set $session_shm_uselocking off; |
|
set $session_shm_lock_exptime 3; |
|
set $session_shm_lock_timeout 2; |
|
set $session_shm_lock_step 0.001; |
|
set $session_shm_lock_ratio 1; |
|
set $session_shm_lock_max_step 0.5; |
|
|
|
|
|
access_by_lua_block { |
|
local opts = { |
|
discovery = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/.well-known/oauth-authorization-server", |
|
-- Create an application with your OIDC provider and use the returned client ID and secret here |
|
client_id = "CLIENT_ID", |
|
client_secret = "CLIENT_SECRET", |
|
redirect_uri_path = "/auth", |
|
redirect_uri_scheme = "https", |
|
logout_path = "/logout", |
|
-- Scopes to request; group contains group memberships, offline_access gives us a refresh token |
|
scope = "openid email profile offline_access", |
|
redirect_after_logout_uri = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/v1/logout", |
|
redirect_after_logout_with_id_token_hint = false, |
|
renew_access_token_on_expiry = true, |
|
access_token_expires_leeway = 60, |
|
-- Storing the access token also includes the refresh token letting the server transparently |
|
-- renew the session |
|
session_contents = {id_token=true, access_token=true}, |
|
ssl_verify = "no" |
|
} |
|
|
|
|
|
-- call authenticate for OpenID Connect user authentication |
|
local res, err = require("resty.openidc").authenticate(opts) |
|
if err then |
|
ngx.status = 500 |
|
ngx.say(err) |
|
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) |
|
end |
|
|
|
-- set data from the ID token as HTTP Request headers |
|
ngx.req.set_header("X-Auth-Audience", res.id_token.aud) |
|
ngx.req.set_header("X-Auth-Email", res.id_token.email) |
|
ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp) |
|
ngx.req.set_header("X-Auth-Groups", res.id_token.groups) |
|
ngx.req.set_header("X-Auth-Name", res.id_token.name) |
|
ngx.req.set_header("X-Auth-Subject", res.id_token.sub) |
|
ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username) |
|
ngx.req.set_header("X-Remote-User", res.id_token.preferred_username) |