lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

OIDC RS cookie & auth header check

Open gitphill opened this issue 5 years ago • 4 comments

Hi, is it possible to run lua-resty-oidc as resource server so that it first authenticates clients presenting a session cookie (issued by another lua-resty-oidc acting as relying party) but if it doesn't find session cookie it falls back to Authorization header? Our scenario is that our resource (a RESTful API) could be accessed by both web apps using session cookies, and by non-browser clients using Authorization headers. Any examples would be greatly appreciated. I think its a combination of the examples you provide in readme, but I'm not sure.

gitphill avatar May 14 '19 21:05 gitphill

+1 for this; we're in a similar situation where some of the clients accessing our API are doing so via cURL requests using a cookie jar, and some are coming from SPA's with access tokens.

akuma12 avatar May 29 '19 20:05 akuma12

I agree, this is a valid feature request as also implemented in mod_auth_openidc https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect

zandbelt avatar May 29 '19 20:05 zandbelt

It would indeed be helpful to have a native authentication function in the module which supports this mixed mode.

For anyone interested in implementing this behavior before then, we have found the following logic works well when authenticating:

         local ah = ngx.req.get_headers()["Authorization"]
         if ah and string.find(ah, "Bearer ") then
            local res, err = require("resty.openidc").bearer_jwt_verify(opts)
            if err or not res then
              ngx.status = 403
              ngx.exit(ngx.HTTP_FORBIDDEN)
            end
            -- Set Headers
            ngx.req.set_header("X-USER", res.name)
            ngx.req.set_header("X-EMAIL", res.email)
            ngx.req.set_header("X-GROUPS", res.groups)
         -- OIDC Authentication
         else
            local res, err = require("resty.openidc").authenticate(opts)
            if err then
                ngx.status = 500
                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
            end
            -- Set Headers
            ngx.req.set_header("X-USER", res.id_token.name)
            ngx.req.set_header("X-EMAIL", res.id_token.email)
            ngx.req.set_header("X-GROUPS", res.id_token.groups)
         end

If this approach is deemed acceptable, I can open a PR adding the above snippet as a function into the module at some point

dfresh613 avatar Oct 16 '19 15:10 dfresh613

Any update on this?

mssaisandeep avatar May 11 '20 18:05 mssaisandeep