lua-resty-openidc
lua-resty-openidc copied to clipboard
Published
20 hours ago •
zmartzone
zmartzone
How to get the user id when auth by keycloak?
Environment
In my case, a host(192.168.2.8) has the following dockers:
-
resty nginx ("resty_version": "1.19.9.1", "Created": "2021-12-03T12:24:51.007868968Z") -p 8081:80 the nginx.conf looks like: /nc --> require("resty.openidc").authenticate(http://192.168.2.8:8080/auth/realms/nginx...,redirect_uri_path = "/ncc") /ncc --> /ncc/ /ncc/ --> proxy_pass http://192.168.2.8:8086;
-
keycloak(jboss/keycloak:15.0.2) -p 8080:8080
-
nextcloud (rootlogin/nextcloud) -p 8086:80 configured as described in https://eclipsesource.com/blogs/2018/01/11/authenticating-reverse-proxy-with-keycloak/
Expected behaviour
The idea is, when a client access 2.8:8081/nc, nginx call keycloak(2.8:8080) to auth, and if passed, redirect to 2.8:8081/ncc --> /ncc/ --> proxy_pass http://192.168.2.8:8086 (nextcloud);
Actual behaviour
With the following nginx.conf, a client can login to nextcloud, but i can not get its id or somthing else...
BTW, the lines
"ngx.log(ngx.ERR, '**********after auth**********')"
are not executed after user login.
My question is, how can i get the user's id? I need the id to prepare some other containers for the user, such as aria2.
PS: is there any tutorial wikis or books for us newbies?
Minimized example
Configuration and NGINX server log files
Config and logs for the minimized example, possibly provided as attachments. nginx.conf
worker_processes auto;
error_log /config/error.log;
pid /config/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
lua_package_path '/usr/local/openresty/lualib/?.lua;;';
resolver 192.168.2.1;
include /etc/nginx/conf.d/*.conf;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
index index.html index.htm;
server {
listen 80 default_server;
#listen [::]:80 default_server;
root /usr/share/nginx/html;
# I disbled caching so the browser won't cache the site.
#expires 0;
#add_header Cache-Control private;
#to get user-id when cross-site accessing.
set $session_cookie_samesite None;
location / {
}
location /nc {
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
access_by_lua_block {
local opts = {
redirect_uri_path = "/ncc",
discovery = "http://192.168.2.8:8080/auth/realms/nginx/.well-known/openid-configuration",
client_id = "nextcloud",
client_secret = "4906f32d-4968-4f59-a2c5-851b825130db",
redirect_uri_scheme = "http",
logout_path = "/logout",
redirect_after_logout_uri = "http://192.168.2.8:8008/auth/realms/nginx/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fianbull.com",
redirect_after_logout_with_id_token_hint = false,
scope = "openid email profile",
session_contents = {id_token=true, user=true}
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
ngx.log(ngx.ERR, "**********before auth**********")
local res, err = require("resty.openidc").authenticate(opts)
ngx.log(ngx.ERR, "**********after auth**********") **--not executed after login..why?**
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-User", res.id_token.sub)
ngx.log(ngx.ERR, "+++++++access printing...++++++++++++")
ngx.log(ngx.ERR, " remote_user:", tostring(res.user))
ngx.log(ngx.ERR, "+++++++access ++++++++++")
}
proxy_pass http://192.168.2.8:8086;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass_header Authorization;
}
location /ncc {
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
return 301 $scheme://$http_host/ncc/;
}
location /ncc/ {
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
rewrite ^/ncc(.*) $1 break;
add_header Front-End-Https on;
access_by_lua_block {
ngx.log(ngx.ERR, "------access ncc begin------")
ngx.log(ngx.ERR, " remote_user:", remote_user)
-- ngx.log(ngx.ERR, " ngx.var.remote_user:", ngx.var.remote_user)
ngx.log(ngx.ERR, "-----------access ncc end------------")
}
proxy_pass http://192.168.2.8:8086;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass_header Authorization;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
error.log --not real erros :)
2022/08/04 05:14:13 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:59):15: **********before auth**********, client: 192.168.2.6, server: , request: "GET /nc HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3: remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"
thx.
Try this:
ngx.req.set_header("X-User-Email", tostring(res.user["email"]))
ngx.req.set_header("X-User-Username", tostring(res.user["preferred_username"]))
ngx.req.set_header("X-User-Name", tostring(res.user["name"]))
