'check session only' or 'guest user' feature

[dholth]

Let me know if you are familiar with this mode of operation.

I have an application that expects REMOTE_USER from the web server. It checks the REMOTE_USER against permissions on individual pages within the application. If a page is private, the application returns 401 or 403 depending on whether REMOTE_USER is set. The web server converts 401 to a redirect to the login page.

In other words, the bulk of the application would pass a flag to openidc.authenticate() to skip the openidc_authorize() call. Instead of doing a redirect, openidc.authenticate() would return 'user not logged in': https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L635

The location for the login page would of course continue to do the redirect when the user was not logged in.

[dholth]

Configuration winds up looking like this. oidc_check skips openidc_authorize, returning nil and not setting REMOTE_USER if the user is not logged in. oidc_do works as lua-resty-openidc does today. Only when the application says 401 Unauthorized does the login page show. ngx.say('Unauthorized') only executes if the application incorrectly returns 401 instead of 403 for a logged-in but forbidden user.

    set $oidc_user "<not logged in>"; # or the empty string

    location / {
        access_by_lua_file 'oidc_check.lua';

        include uwsgi_params;
        uwsgi_param REMOTE_USER $oidc_user;
        uwsgi_modifier1 30;
        uwsgi_pass 127.0.0.1:4444;
        uwsgi_intercept_errors  on;

        error_page 401 = @login;
    }

    location @login {
        access_by_lua_file 'oidc_do.lua';
        content_by_lua_block {
          ngx.header.content_type = "text/plain; encoding=utf-8"
          ngx.say('Unauthorized');
        }
    }

[dholth]

diff -r 19ab53e1ef2d lua/lua-resty-openidc/lib/resty/openidc.lua
--- a/lua/lua-resty-openidc/lib/resty/openidc.lua	Wed May 17 17:06:22 2017 +0000
+++ b/lua/lua-resty-openidc/lib/resty/openidc.lua	Wed May 17 19:33:32 2017 +0000
@@ -589,7 +589,7 @@
 end
 
 -- main routine for OpenID Connect user authentication
-function openidc.authenticate(opts, target_url)
+function openidc.authenticate(opts, target_url, allow_nil_user)
 
   local err
 
@@ -632,6 +632,13 @@
 
   -- if we have no id_token then redirect to the OP for authentication
   if not session.present or not session.data.id_token then
+    if allow_nil_user then
+      return
+        nil,
+        err,
+        target_url,
+        session
+    end
     return openidc_authorize(opts, session, target_url), session
   end

[zandbelt]

Yes, that's a useful feature that some call "lazy sessions" also implemented in mod_auth_openidc with OIDCUnAuthAction pass. I would be fine merging a PR but I'd prefer to call the option "check_session_only" (or even "unauth_action" to stay in line with mod_auth_openidc).

[dholth]

See #54