Created
October 28, 2019 18:56
-
-
Save chrisscott/8b5e4fe48a6f04513f524ab68a47429b to your computer and use it in GitHub Desktop.
Auth0 OpenResty OIDC Reverse Proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM openresty/openresty:alpine-fat | |
RUN mkdir /var/log/nginx | |
RUN apk add --no-cache openssl-dev | |
RUN apk add --no-cache git | |
RUN apk add --no-cache gcc | |
RUN luarocks install lua-resty-openidc | |
RUN luarocks install lua-resty-session | |
ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
events { | |
worker_connections 128; | |
} | |
http { | |
lua_package_path '~/lua/?.lua;;'; | |
resolver 8.8.8.8; | |
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; | |
lua_ssl_verify_depth 5; | |
# cache for discovery metadata documents | |
lua_shared_dict discovery 1m; | |
# cache for JWKs | |
lua_shared_dict jwks 1m; | |
server { | |
listen 8080; | |
location / { | |
access_by_lua ' | |
local opts = { | |
redirect_uri_path = "/redirect_uri", | |
discovery = "https://<AUTH0_TENANT_DOMAIN>/.well-known/openid-configuration", | |
token_signing_alg_values_expected = "RS256", | |
client_id = "<AUTH0_CLIENT_ID>", | |
client_secret = "<AUTH0_CLIENT_SECRET>", | |
redirect_after_logout_uri = "https://<AUTH0_TENANT_DOMAIN>/v2/logout?client_id=<AUTH0_CLIENT_ID>&redirectTo=<URL_TO_REDIRECT_AFTER_LOGOUT>", | |
redirect_after_logout_with_id_token_hint = false | |
} | |
-- call bearer_jwt_verify for OAuth 2.0 JWT validation | |
local res, err = require("resty.openidc").authenticate(opts) | |
if err or not res then | |
ngx.status = 403 | |
ngx.say(err and err or "no access_token provided") | |
ngx.exit(ngx.HTTP_FORBIDDEN) | |
end | |
'; | |
proxy_pass <URI>; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See this post for details on using and testing w/Docker.