lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Multiple Providers

Open sooslaca opened this issue 8 years ago • 7 comments

Hi guys,

Zmartzone apache module has a Multiple Provider feature which is super useful. Do you have a recommendation how I can achieve that with some nginx config combined with lua-resty-openidc?

Thanks in advance

sooslaca avatar Dec 05 '17 21:12 sooslaca

That is not possible with lua-resty-openidc although you can protect different paths with different setups/providers, you cannot do it for the same path.

Handling multiple providers (on the same path) would require quite a significant enhancement, most probably including dynamic client registration etc.

zandbelt avatar Dec 06 '17 13:12 zandbelt

thanks zandbelt, I thought of something like create a non protected "OP chooser" location and then redirect back to protected page and rewrite your example like

if user choose op1: local res, err = require("resty.openidc").authenticate(opts1) else if user choose op2 local res, err = require("resty.openidc").authenticate(opts2)

would that not work? I only don't know how to store the choice.

sooslaca avatar Dec 06 '17 17:12 sooslaca

using static registration only that may indeed be pretty close already

you can create an "opts[]" array with the index being the "issuer"; then you can probably call authenticate(opts[iss], target_url) from the chooser location and then lua-resty-openidc will create a session on return from the OP

you may be able to use the "iss" value from the id_token to map back to opts[iss] in protected locations; there's probably a new function needed to check whether a session object has already been created for the latter

zandbelt avatar Dec 06 '17 18:12 zandbelt

thanks, will give it a try. close this report if you think so or leave for future as enhancement.

sooslaca avatar Dec 06 '17 20:12 sooslaca

I'll leave it as an enhancement and I'm interested in your results.

zandbelt avatar Dec 07 '17 07:12 zandbelt

Sorry @sooslaca I don't get what a Multiple Provider feature is about. Does it allow me to have one endpoint (relying party) to have more than one OpenID Connect Provider (OP)? If so how can a user choose which OP to use? Is there a sepecial request parameter or is the relying party proxied with two different urls?

I wan't to be able to have a REST resource that is available at one endpoint. I want to access that endpoint for clients that come from systems of my own department and to systems and users of all other departments. Those that come from my own department should use the department's own Keycloak. The other departments should be able to authenticate against the company's central keycloak. Would multi provider support allow me to do this? How about redirect urls for requests without an access token?

Did you get any results yet?

baztian avatar Aug 20 '18 13:08 baztian

hi @baztian , best is to check @zandbelt 's writeup here about the feature. https://github.com/zmartzone/mod_auth_openidc/wiki/Multiple-Providers

I wasn't able to do this under nginx, apache works good enough for me.

Maybe we should close this issue.

sooslaca avatar Oct 16 '18 18:10 sooslaca