Validating memberOf with lua-resty-openidc OpenResty

By: Cage Box user 07 Jun 2020 at 4:17 p.m. CDT

2 Responses
Cage Box gravatar
I'm trying to validate if a user is part of a particular group, then grant access using lua-resty-openidc with OpenResty. Following Chris Blanton's advice here: https://support.gluu.org/maintenance/5605/migration-from-apache-to-nginx-issue-in-configuration-of-lua-resty-openidc/ I added memberOf to the profile scope in OpenID Connect > Scopes > profile. My OpenResty config is set to return openid email profile. Profile scope works fine when I validate with the user's email (res.user.email). I tried doing this in my OpenResty config: ``` local ADMIN_GROUP = '60B7' if res.user.member_of ~= ADMIN_GROUP then ngx.exit(ngx.HTTP_FORBIDDEN) end ``` However, I'm getting HTTP FORBIDDEN even though my user is in the default Gluu Manager Group, which 60B7 is the INUM by default.
Gluu 4.0 Ubuntu 20.04
closed

Answers

By Cage Box user 07 Jun 2020 at 6:21 p.m. CDT

Copy
Cage Box gravatar
It turns out res.user.member_of returns the full CN, not just the inum. Also, since res.user.member_of returns a table instead of a string, I ended up creating a for loop to iterate through res.user.member_of to match on **inum=60B7,ou=groups,o=gluu** If it match hit, then I made OpenResty authorize resource.

By Michael Schwartz Account Admin 07 Jun 2020 at 9:09 p.m. CDT

Copy
Michael Schwartz gravatar
I don't recommend using the DN of the group in your code. You might want to check out a video I recorded about using RBAC with OAuth.

Post an answer