Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Auth0 OpenResty OIDC Reverse Proxy
FROM openresty/openresty:alpine-fat
RUN mkdir /var/log/nginx
RUN apk add --no-cache openssl-dev
RUN apk add --no-cache git
RUN apk add --no-cache gcc
RUN luarocks install lua-resty-openidc
RUN luarocks install lua-resty-session
ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]
events {
worker_connections 128;
}
http {
lua_package_path '~/lua/?.lua;;';
resolver 8.8.8.8;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
server {
listen 8080;
location / {
access_by_lua '
local opts = {
redirect_uri_path = "/redirect_uri",
discovery = "https://<AUTH0_TENANT_DOMAIN>/.well-known/openid-configuration",
token_signing_alg_values_expected = "RS256",
client_id = "<AUTH0_CLIENT_ID>",
client_secret = "<AUTH0_CLIENT_SECRET>",
redirect_after_logout_uri = "https://<AUTH0_TENANT_DOMAIN>/v2/logout?client_id=<AUTH0_CLIENT_ID>&redirectTo=<URL_TO_REDIRECT_AFTER_LOGOUT>",
redirect_after_logout_with_id_token_hint = false
}
-- call bearer_jwt_verify for OAuth 2.0 JWT validation
local res, err = require("resty.openidc").authenticate(opts)
if err or not res then
ngx.status = 403
ngx.say(err and err or "no access_token provided")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';
proxy_pass <URI>;
}
}
}
@chrisscott

This comment has been minimized.

Copy link
Owner Author

chrisscott commented Oct 28, 2019

See this post for details on using and testing w/Docker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.