lua-resty-openidc is a certified OIDC and OAuth library built onto openresty. While openresty is a reverse proxy built on nginx with lua and luaJit embedded, which greatly upgrade nginx’s capability.

lua-resty-openidc is able to authenticate and authorize the client with compliant OP (keycloak in my case). However, I was facing issues with infinite redirects:

location /test {      access_by_lua_block {        local opts = {
discovery = "http://keycloak/...../.well-known/openid-configuration",
redirect_uri_path = "/test",
accept_none_alg = true,
client_id = "xxxx",
client_secret = "xxxxx",
use_nonce = true,
revoke_tokens_on_logout = true,
}
local res, err, url, session = require("resty.openidc").authenticate(opts) if err or not res then
ngx.status = 403
ngx.say(err and err or "no access_token provided")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
default_type text/html;
content_by_lua 'ngx.say("<p>hello, world here from test</p>")';
}

for above block, I was expecting the library able to direct the client to keycloak authentication at first time, then subsequently redirect back to the redirect_uri /test, which then see the client is already authenticated, and proceed to the content_by_lua` block.

however, instead, it’s facing a infinite redirect between keycloak and redirect_url: https://github.com/zmartzone/lua-resty-openidc/issues/32#issuecomment-656035986

the final solution is to put the control block (access_by_lua) after location /, then worked out

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store