我正在尝试使用 OpenResty NGINX 服务器配置 lua-resty-openidc。对网站使用身份验证。
有谁知道,如果我可以让会话结束或强制客户端刷新令牌?
我通过在身份验证系统 Keycloak 中结束会话进行测试,没有任何反应,用户仍然可以访问,留在网站上,不需要重新身份验证。
access_by_lua '
local opts = {
redirect_uri = "https://domain/redirect_uri",
accept_none_alg = true,
discovery = "https://a.domain/auth/realms/realm/.well-known/openid-configuration",
client_id = "CLIENT",
client_secret = "SEEECREET",
redirect_uri_scheme = "https",
logout_path = "/logout",
redirect_after_logout_uri = "https://a.domain/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=https://www.domain",
redirect_after_logout_with_id_token_hint = false,
session_contents = {id_token=true},
access_token_expires_in = 3600,
renew_access_token_on_expiry = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local oidc = require("resty.openidc")
local res, err = oidc.authenticate(opts)
-- deal with err not being nil
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
if (res.id_token.roles == nil or res.id_token.roles == "") then
ngx.log(ngx.INFO, "No Roles, therefore denied access to " .. res.id_token.preferred_username)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
if not string.find(res.id_token.roles, "searchRole") then
ngx.log(ngx.INFO, "Denied acces to " .. res.id_token.preferred_username)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';