Update auth.lua to validate KEYCLOAK_CLIENT_SECRET and adjust redirect URI logic.

2025-06-14 08:48:39 +02:00
parent d220cb28f9
commit 564f132d80
1 changed files with 9 additions and 8 deletions
--- a/auth.lua
+++ b/auth.lua
@@ -1,17 +1,18 @@
 local openidc = require("resty.openidc")

-- Determine the correct redirect URI
-local scheme = ngx.var.scheme
-local host = ngx.var.http_host
-local request_uri = ngx.var.request_uri
-local redirect_uri = scheme .. "://" .. host .. request_uri
+local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
+if not client_secret then
+  ngx.log(ngx.ERR, "Missing KEYCLOAK_CLIENT_SECRET env variable")
+  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+end

 local opts = {
-  redirect_uri = redirect_uri,  -- ✅ use full URI dynamically
+  redirect_uri_path = "/redirect_uri",
  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
  client_id = "demo-sso",
-  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
+  client_secret = client_secret,
  scope = "openid email profile",
+  redirect_uri_scheme = "https",
  ssl_verify = "no"
 }

@@ -23,6 +24,6 @@ if err then
  ngx.exit(ngx.HTTP_FORBIDDEN)
 end

-- Optional: Forward useful info to upstream
 ngx.req.set_header("X-User", res.user.preferred_username or "")
 ngx.req.set_header("X-Email", res.user.email or "")
+ngx.status = 204  -- empty but valid response to avoid ERR_INVALID_RESPONSE