On Wednesday, June 27, 2018 at 6:44:29 PM UTC-4, Jim Burnes wrote:
Would it be easy enough to just tweak the OIDC plugin to redirect id's like 'local/joeuser' and '<domain>/joeuser' to the requisite OpenResty plugins and then change those plugins slightly to assert the same userinfo headers to the upstream services?
Last I checked, there were a few OIDC implementations for OpenResty. Many OpenResty packages, including the top OIDC search result I looked at, tend to be written with two types of functionality:
* library methods
* (typically short) logic flows for the nginx/openresty hooks
instead of forking a plugin, many people will just write a custom hook that reimplements the packaged hook slightly differently
I'm an application security engineer, so even though I'm a software engineer I don't program the API authentication. I just help the devs pick compliant security solutions and try to enforce compliance.
i switched from nginx to openresty a few years ago just to get dynamic ssl certificate functionality (query a backend for the certificate matching the SNI). It took me a few hours to learn enough lua and openresty to prototype a v1, and under a day to finalize it with a multi-tiered cache. the point: it's really fast to prototype a proof-of-concept.
If i were in your position, I'd ask the app devs to do a quick 2-3hr prototype on how they envision the integration in each platform, then take a look at the implementation/libraries for glaring errors.