search

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
Apache License 2.0
967 stars 247 forks source link

How to get the user id when auth by keycloak? #444

Open iamfoolberg opened 2 years ago

iamfoolberg commented 2 years ago
Environment

In my case, a host(192.168.2.8) has the following dockers:

  1. resty nginx ("resty_version": "1.19.9.1", "Created": "2021-12-03T12:24:51.007868968Z") -p 8081:80 the nginx.conf looks like: /nc --> require("resty.openidc").authenticate(http://192.168.2.8:8080/auth/realms/nginx...,redirect_uri_path = "/ncc") /ncc --> /ncc/ /ncc/ --> proxy_pass http://192.168.2.8:8086;

  2. keycloak(jboss/keycloak:15.0.2) -p 8080:8080

  3. nextcloud (rootlogin/nextcloud) -p 8086:80 configured as described in https://eclipsesource.com/blogs/2018/01/11/authenticating-reverse-proxy-with-keycloak/

Expected behaviour

The idea is, when a client access 2.8:8081/nc, nginx call keycloak(2.8:8080) to auth, and if passed, redirect to 2.8:8081/ncc --> /ncc/ --> proxy_pass http://192.168.2.8:8086 (nextcloud);

Actual behaviour

With the following nginx.conf, a client can login to nextcloud, but i can not get its id or somthing else...

BTW, the lines
"ngx.log(ngx.ERR, '**********after auth**********')" are not executed after user login.

My question is, how can i get the user's id? I need the id to prepare some other containers for the user, such as aria2.

PS: is there any tutorial wikis or books for us newbies?

Minimized example
Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments. nginx.conf

worker_processes auto;
error_log /config/error.log;
pid /config/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
   lua_package_path '/usr/local/openresty/lualib/?.lua;;';
   resolver 192.168.2.1;
   include /etc/nginx/conf.d/*.conf;
   # cache for discovery metadata documents
   lua_shared_dict discovery 1m;
   # cache for JWKs
   lua_shared_dict jwks 1m;
   index   index.html index.htm;
   server {
       listen       80 default_server;
       #listen       [::]:80 default_server;
       root         /usr/share/nginx/html;
       # I disbled caching so the browser won't cache the site.
       #expires           0;
       #add_header        Cache-Control private;
       #to get user-id when cross-site accessing.
       set $session_cookie_samesite None;
       location / {
       }
       location /nc {
         proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
         access_by_lua_block {
          local opts = {
            redirect_uri_path = "/ncc",
            discovery = "http://192.168.2.8:8080/auth/realms/nginx/.well-known/openid-configuration",
            client_id = "nextcloud",
            client_secret = "4906f32d-4968-4f59-a2c5-851b825130db",
            redirect_uri_scheme = "http",
            logout_path = "/logout",
            redirect_after_logout_uri = "http://192.168.2.8:8008/auth/realms/nginx/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fianbull.com",
            redirect_after_logout_with_id_token_hint = false,
            scope = "openid email profile",
            session_contents = {id_token=true, user=true}
          }
          -- call introspect for OAuth 2.0 Bearer Access Token validation
          ngx.log(ngx.ERR, "**********before auth**********")
          local res, err = require("resty.openidc").authenticate(opts)
          ngx.log(ngx.ERR, "**********after auth**********") **--not executed after login..why?**
          if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
          end
          ngx.req.set_header("X-User", res.id_token.sub)
          ngx.log(ngx.ERR, "+++++++access printing...++++++++++++")
          ngx.log(ngx.ERR, " remote_user:", tostring(res.user))
          ngx.log(ngx.ERR, "+++++++access ++++++++++")
         }

         proxy_pass         http://192.168.2.8:8086;
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header   Host             $host;
         proxy_pass_header  Authorization;
       }
       location /ncc {
         proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
         return 301 $scheme://$http_host/ncc/;
       }
       location /ncc/ {
         proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
         rewrite ^/ncc(.*) $1 break;
         add_header Front-End-Https on;

         access_by_lua_block {
          ngx.log(ngx.ERR, "------access ncc begin------")
          ngx.log(ngx.ERR, " remote_user:", remote_user)
          -- ngx.log(ngx.ERR, " ngx.var.remote_user:", ngx.var.remote_user)
          ngx.log(ngx.ERR, "-----------access ncc end------------")
         }

         proxy_pass         http://192.168.2.8:8086;
         proxy_set_header   X-Forwarded-Host $http_host;
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header   Host             $host;
         proxy_pass_header  Authorization;
       }
       # redirect server error pages to the static page /40x.html
       #
       error_page 404 /404.html;
           location = /40x.html {
       }
       # redirect server error pages to the static page /50x.html
       #
       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }
}

error.log --not real erros :)

2022/08/04 05:14:13 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:59):15: **********before auth**********, client: 192.168.2.6, server: , request: "GET /nc HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:17 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/login HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:19 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/sociallogin/custom_oidc/keycloak?state=HA-1VIYWR23G9U67DPF80BE4KLJNOTCQA5MHZXS&session_state=dee119a8-cfe1-4e74-badd-979ad2e09c58&code=7157a183-3062-47d7-bae1-25c539ba6ebc.dee119a8-cfe1-4e74-badd-979ad2e09c58.99279818-475e-4785-b2fb-c42d6620ced7 HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/dashboard/ HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/notifications/img/notifications-new.svg HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:20 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):2: ------access ncc begin------, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):3:  remote_user:nil, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"
2022/08/04 05:14:21 [error] 6#6: *1 [lua] access_by_lua(nginx.conf:81):5: -----------access ncc end------------, client: 192.168.2.6, server: , request: "GET /ncc/apps/recommendations/api/recommendations/always HTTP/1.1", host: "192.168.2.8"

thx.

joostdecock commented 1 year ago

Try this:

ngx.req.set_header("X-User-Email", tostring(res.user["email"]))
ngx.req.set_header("X-User-Username", tostring(res.user["preferred_username"]))
ngx.req.set_header("X-User-Name", tostring(res.user["name"]))