By: Cage Box user 07 Jun 2020 at 4:17 p.m. CDT

2 Responses
Cage Box gravatar
I'm trying to validate if a user is part of a particular group, then grant access using lua-resty-openidc with OpenResty. Following Chris Blanton's advice here: https://support.gluu.org/maintenance/5605/migration-from-apache-to-nginx-issue-in-configuration-of-lua-resty-openidc/ I added memberOf to the profile scope in OpenID Connect > Scopes > profile. My OpenResty config is set to return openid email profile. Profile scope works fine when I validate with the user's email (res.user.email). I tried doing this in my OpenResty config: ``` local ADMIN_GROUP = '60B7' if res.user.member_of ~= ADMIN_GROUP then ngx.exit(ngx.HTTP_FORBIDDEN) end ``` However, I'm getting HTTP FORBIDDEN even though my user is in the default Gluu Manager Group, which 60B7 is the INUM by default.

By Cage Box user 07 Jun 2020 at 6:21 p.m. CDT

Cage Box gravatar
It turns out res.user.member_of returns the full CN, not just the inum. Also, since res.user.member_of returns a table instead of a string, I ended up creating a for loop to iterate through res.user.member_of to match on **inum=60B7,ou=groups,o=gluu** If it match hit, then I made OpenResty authorize resource.

By Michael Schwartz staff 07 Jun 2020 at 9:09 p.m. CDT

Michael Schwartz gravatar
I don't recommend using the DN of the group in your code. You might want to check out a video I recorded about using RBAC with OAuth.