[feature] protecting proxy hosts using lua-resty-openidc

[WirtsLegs]

Would love to see the oidc feature from the nginx proxy manager openidc branch make its way here (or another implementation)

Being able to setup other auth providers like say keycloak without needing a middleware auth proxy would be a a great addition

[WirtsLegs]

so you both talk about different things? or did I misunderstand something? @WirtsLegs you want to protect the proxy host using OIDC? (so instead of the configuration via nginx auth_request)? @alexsalex And you want to log into the NPMplus web GUI using SSO, right?

Yes on my half

Reason being is many auth providers don't support auth request and currently the solution requires deploying a auth proxy as extra middleware which isn't ideal

The branch I mentioned provides this via iirc lua-resty-oidc (branch in question: https://github.com/NginxProxyManager/nginx-proxy-manager/tree/openidc )

[Zoey2936]

You can try to switch to the develop tag and just paste this example in the advanced tab, make sure to edit all variables (marked with {{ var_name }}), to remove not needed lines with are inside an if condition ({% if ... %} {% endif ... %}) and to fill out if conditions, but it could maybe block renewals using http challenge, but anything not tested by me, I just copied this example from the mentioned branch and installed to required lua module in the develop tag:

    access_by_lua_block {
	    local openidc = require("resty.openidc")
        local opts = {
            redirect_uri = "{{- openidc_redirect_uri -}}",
            discovery = "{{- openidc_discovery -}}",
            token_endpoint_auth_method = "{{- openidc_auth_method -}}",
            client_id = "{{- openidc_client_id -}}",
            client_secret = "{{- openidc_client_secret -}}",
            scope = "openid email profile"
        }

        local res, err = openidc.authenticate(opts)

        if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end

        {% if openidc_restrict_users_enabled == 1 or openidc_restrict_users_enabled == true -%}
        local function contains(table, val)
            for i=1,#table do
                if table[i] == val then 
                    return true
                end
            end
            return false
        end

        local allowed_users = {
            {% for user in openidc_allowed_users %}
                "{{ user }}",
            {% endfor %}
        }

        if not contains(allowed_users, res.id_token.email) then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        {% endif -%}
        

        ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
        ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
        ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
    }

[Zoey2936]

can you please test if my comment above works?

[WirtsLegs]

can you please test if my comment above works?

Hey sorry, I am not using NPMPlus or NPM right now, I have needed oidc for a while and switched to raw nginx/openresty to accomodate that

The moment either project has native oidc support via the UI then Id likely switch back

That being said when I have some spare time if noone else has tried it I could try spinning up an instance just to test it out and see if it works

[Zoey2936]

Maybe I will add it to the UI in the (far) future, but testing is still welcome by anyone, since a tested advanced config is the base requirement to also get a UI implementation