Gitlab-Migration/demo-websites
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update auth.lua to validate KEYCLOAK_CLIENT_SECRET and adjust redirect URI logic.

Browse Source
This commit is contained in:
Thatsaphorn
2025-06-14 08:48:39 +02:00
parent d220cb28f9
commit 564f132d80
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
auth.lua
View File

@@ -1,17 +1,18 @@
local openidc = require("resty.openidc") local openidc = require("resty.openidc")
-- Determine the correct redirect URI local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
local scheme = ngx.var.scheme if not client_secret then
local host = ngx.var.http_host ngx.log(ngx.ERR, "Missing KEYCLOAK_CLIENT_SECRET env variable")
local request_uri = ngx.var.request_uri ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
local redirect_uri = scheme .. "://" .. host .. request_uri end
local opts = { local opts = {
redirect_uri = redirect_uri, -- ✅ use full URI dynamically redirect_uri_path = "/redirect_uri",
discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration", discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
client_id = "demo-sso", client_id = "demo-sso",
client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"), client_secret = client_secret,
scope = "openid email profile", scope = "openid email profile",
redirect_uri_scheme = "https",
ssl_verify = "no" ssl_verify = "no"
} }
@@ -23,6 +24,6 @@ if err then
ngx.exit(ngx.HTTP_FORBIDDEN) ngx.exit(ngx.HTTP_FORBIDDEN)
end end
-- Optional: Forward useful info to upstream
ngx.req.set_header("X-User", res.user.preferred_username or "") ngx.req.set_header("X-User", res.user.preferred_username or "")
ngx.req.set_header("X-Email", res.user.email or "") ngx.req.set_header("X-Email", res.user.email or "")
ngx.status = 204 -- empty but valid response to avoid ERR_INVALID_RESPONSE