Add OpenID authentication via Keycloak and integrate auth.lua into nginx setup

2025-06-09 10:20:30 +02:00
parent ba7d00c788
commit 7de107ea6e
4 changed files with 51 additions and 4 deletions
--- a/auth.lua
+++ b/auth.lua
@@ -0,0 +1,22 @@
+local openidc = require("resty.openidc")
+
+local opts = {
+  redirect_uri_path = "/redirect_uri",
+  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
+  client_id = "demo-sso",
+  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
+  redirect_uri_scheme = "https",
+  scope = "openid email profile"
+}
+
+local res, err = openidc.authenticate(opts)
+
+if err then
+  ngx.status = 403
+  ngx.say("Authentication failed: " .. err)
+  ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- Optional: Forward useful info to upstream
+ngx.req.set_header("X-User", res.user.preferred_username or "")
+ngx.req.set_header("X-Email", res.user.email or "")