时间戳

首页 > 解决方案 > NGINX - lua-resty-openidc - 无法访问 POST api url

nginx - NGINX - lua-resty-openidc - 无法访问 POST api url

问题描述

使用配置了 lua-resty-openidc 的 Openresty NGINX。

api.conf

location /api/postsomething {
    limit_except POST {
        deny all;
    }
    error_page 403 = @405; # Convert response from '403 (Forbidden)' to '405 (Method Not Allowed)'
    set $upstream api_dev;
    rewrite ^ /_apipost last;
}

location = /_apipost {
    internal;
    set $api_name "someapi";
    access_by_lua_file /etc/nginx/oauth_authenticate.lua;
    proxy_pass https://$upstream$request_uri;
}

oauth_authenticate.lua

local opts = {
        redirect_uri="https://<ipd>/oauth_callback",
        discovery="https://<idp.ip>/.well-known/openid-configuration",
        client_id="client_id_test",
        client_secret="",
        scope="openid",
        ssl_verify="no"
}
local res, err =require("resty.openidc").authenticate(opts)

if err then
        ngx.status = 500
        ngx.say(err)
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end

local jwt = require "resty.jwt"
local jwt_obj = jwt:load_jwt(res.access_token)


-- Parse the access token that was used above and print it to the logs
local cjson = require "cjson"
ngx.log(ngx.DEBUG, "Here is the access token:\n " .. cjson.encode(jwt_obj.payload))


-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-USER", res.id_token.sub)

现在在邮递员中调用我的后端 API 会得到下面的 url,

POST > https://nginx_ip/api/postsomething

结果:

<!-- template name: form.autopost.template.html -->


<html>

<head>
    <title>Submit Form</title>
</head>

<body onload="javascript:document.forms[0].submit()">
    <noscript>
        <p>
            <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Resume button once
            to proceed.
        </p>
    </noscript>
    <form method="post" action="https://<idp_ip>/idp/SSO.saml2">
        <input type="hidden" name="SAMLRequest" value="ddfdfdfdf3Q+"/>
        <input type="hidden" name="RelayState" value="fdfergerger"/>
        <noscript><input type="submit" value="Resume"/></noscript>
    </form>
</body>

</html>

我如何使用真正受 OIDC 模块 lua 保护的 API(POST 调用)。如果我在浏览器中发出相同的请求,它会要求我进行用户身份验证,而浏览器结果是这样的,

405 (Method Not Allowed)

同样,如果我创建一个带有表单 POST 的 HTML 到https://nginx_ip/api/postsomething那么结果是 405。为什么?请帮忙 。

标签: nginxluaopenid-connect

解决方案

推荐阅读