Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Advice: serving user info #207

Closed
thomasleplus opened this issue Oct 9, 2018 · 5 comments
Closed

Advice: serving user info #207

thomasleplus opened this issue Oct 9, 2018 · 5 comments

Comments

@thomasleplus
Copy link
Contributor

Hello,

I need some advice to expose the user info of the authenticated user to my client. I would really appreciate guidance on this. Hopefully I missed something obvious.

The first approach that I tried was to invoke the method openidc_call_userinfo_endpoint() but that didn't work because it's private. Lua rookie mistake :)

So then I thought that I could proxy call the userinfo endpoint but then it would be nice if I could get the endpoint's URL from the discovery data. I've noticed the variable opts.discovery.userinfo_endpoint so I thought that I could get it's value like this:

location /user_info {
  default_type application/json;
  set $userinfo_endpoint '';
  access_by_lua_block {
    local opts = {
      discovery = 'https://accounts.google.com/.well-known/openid-configuration',
      client_id = 'some_id',
      client_secret = 'some_secret',
    }
    local res, err = require("resty.openidc").authenticate(opts, nil, "pass")
    if not res then
      ngx.status = 401
      ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
    ngx.req.set_header('Authorization', 'Bearer ' .. res.access_token)
    ngx.var.userinfo_endpoint = opts.discovery.userinfo_endpoint
  }
  proxy_pass $userinfo_endpoint;
}

My idea/understanding was that opts.discovery.userinfo_endpoint was set during the call to authenticate() but it is not since the value is nil when I try to assign it to $userinfo_endpoint. Or maybe it is not set because I call this endpoint as an authenticated user so authenticate() does not perform the OIDC flow since the JWTs are not expired?

Any suggestion would be greatly appreciated.

Cheers,

Tom

@thomasleplus
Copy link
Contributor Author

I forgot to mention that I also considered returning the field id_token from authenticate()'s return value (instead of querying the userinfo endpoint). I like it because it saves a call to the OP but on the other hand id_token contains some info which I'm not sure are safe to divulge (e.g. aud, jti, nonce...).

@bodewig
Copy link
Collaborator

bodewig commented Oct 10, 2018

You can call openidc.get_discovery_doc in order to obtain the user-info URI.

@zandbelt
Copy link
Contributor

making openidc_call_userinfo_endpoint a public method does not seem unreasonable to me either

@thomasleplus
Copy link
Contributor Author

Thanks!

@jessecooper
Copy link

Question on this I want to make a /user_info endpoint I have my access_by_lua in the server block before location. What would be the best way to make a call to openidc_call_userinfo_endpoint? Side note would it be within scope of this module to just add the /user_info endpoint available like the /logout endpoint is?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants