Feature unauth_action "deny"

[nmaniwa]

Environment

• lua-resty-openidc version: 1.7.0
• OpenID Connect provider: Keycloak

Expected behaviour

I'd like to use an option unauth_action "deny". If I specify the option, lua-resty-openidc will return an error instead of redirecting to the OP Authorization endpoint.

Actual behaviour

lua-resty-openidc supports the unauth_action option. The option was implemented based on #53(#54) to support the "check authentication only" feature. According to the comment on the ticket, the unauth_action option is similar to an option in mod_auth_openidc (OIDCUnAuthAction pass), but does not support option values such as "401" or "410". If the unauth_action option can also support the other option values (401, 410), it's really helpful for me.

Minimized example

I think the feature would be able to be implemented like the following. In this example, lua-resty-openidc just returns an error for the case, then the caller will determine the status code (401 or 410) for their case.

---
 lib/resty/openidc.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
index 918434d..4b86f1e 100644
--- a/lib/resty/openidc.lua
+++ b/lib/resty/openidc.lua
@@ -1429,6 +1429,14 @@ function openidc.authenticate(opts, target_url, unauth_action, session_opts)
     if unauth_action == "pass" then
       return
       nil,
       err,
       target_url,
       session
     end
+    if unauth_action == "deny" then
+      err = "unauthorized request"
+      return
+      nil,
+      err,
+      target_url,
+      session
+    end
 
     err = ensure_config(opts)
     if err then
-- 

Configuration and NGINX server log files

We can use the option like this.

local res, err = require("resty.openidc").authenticate(opts, nil, "deny")

[zandbelt]

I would agree, that's a simple clean addition.

[bodewig]

I've added the snippet and a test and even managed to adjust the docs on my second attempt :-)

Many thanks @nmaniwa

[nmaniwa]

Thank you very much!