popvlovs/openresty-oauth2-client

openresty-oauth2-client

Openresty OAuth2.0 集成手册

集成环境

OAuth 客户端环境

• 客户端环境使用标准的Openresty集成包（ver: 1.11.2.3）：ftp下载地址

OAuth 认证服务器

• 当前仅对接Hansight统一认证中心 https://oauth.hansight.com
• 如需对接第三方OAuth认证服务，要进行一些改造（暂无需求）

集成步骤

• 修改nginx.conf

  http {
      ...
      # 【在此添加】在Http段中添加下列配置，具体配置需随环境变化而调整
      # oauth shared dict
      lua_shared_dict oauth 10m;
      # openresty lua lib
      lua_package_path '/usr/local/openresty/lualib/?.lua;';
      lua_package_cpath '/usr/local/openresty/lualib/?.so;';
      # set dns resolver
      resolver 172.31.38.183;
      # set lua ssl certification
      lua_ssl_verify_depth 2;
      lua_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
      ...
      server {
          # Blahblah...          
          proxy_http_version  1.1;
          proxy_set_header    Connection        "";
          proxy_set_header    Host              $host;
          proxy_set_header    X-Real-IP         $http_x_forwarded_for;
          proxy_set_header    X-Forwarded-For   $http_x_forwarded_for;
          proxy_set_header    Front-End-Https   on;
          proxy_set_header    X-Forwarded-Host  $host;
          proxy_set_header    X-Forwarded-Port  $server_port;
          proxy_set_header    X-Forwarded-Proto $scheme;
          proxy_intercept_errors on;
          proxy_read_timeout 300;
          proxy_connect_timeout 300;
          proxy_pass          http://webservice$request_uri;
          # 【在此添加】在Server段中应用lua脚本
          access_by_lua_block {
            local oauth = require "oauth.oauth_proxy"
            oauth.config.host = "http://kibana.anquanyi.com"
            oauth.config.clientId = "555c3a27-54ba-4da5-b84f-7f634db3711d"
            oauth.config.clientSecret = "3bf22142-db83-4172-8c55-cb54041cf186"
            oauth.authorize()
          }
          header_filter_by_lua_file /usr/local/openresty/lualib/oauth/oauth_success.lua;
      }
  }

  resolver 配置可通过下列指令查看（Centos）

  cat /etc/resolv.conf | grep nameserver

  ssl证书库的位置可通过下列指令查看

  curl -vsk https://oauth.hansight.com
  
  ...
  * successfully set certificate verify locations:
  *   CAfile: /etc/pki/tls/certs/ca-bundle.crt  <----- Find CAfile here
  ...

• 在Hansight统一认证中心中创建应用

  • Hansight统一认证中心，没有权限的话可以找管理员添加（yitian_song@hansight.com）

• 修改配置文件oauth_config.lua

  return {
      -- oauth client host (to make redirect uri)
      host = "http://52.81.79.12",
      -- oauth server authorize endpoint
      userAuthorizationUri = oauthServerUrl .. "/oauth/authorize",
      -- oauth server access token endpoint
      accessTokenUri = oauthServerUrl .. "/oauth/token",
      -- oauth server check token endpoint
      checkTokenUri = oauthServerUrl .. "/oauth/check_token",
      -- oauth client id
      clientId = "42c81db4-0afc-4b8f-8c76-f3b1252e91a7",
      -- oauth client secret
      clientSecret = "cb8539f3-aced-46bf-a44c-ab6e8d8e27c0",
      -- oauth client authorize entry point & redirect uri
      redirectUriEntrypoint = "/login",
      -- oauth client get current user endpoint
      getCurrentUserEndpoint = { "/system/user/current", "_api/current/user" },
      -- oauth client permit url(s), regular-expression supported
      permitUriRegexps = {
          -- important! permit redirect uri to avoid too many redirection error
          "/login",
          -- health check api
          "/healthz",
          -- static resource
          ".*\\..*"
      }
  }

  • 一般需要改的是host，clientId 与 clientSecret
  • permitUriRegexps视情况添加