WAYF server-side (lua)
The YAML file provided below contains an example YAML configuration for an IBM® Application Gateway (IAG) container which:
-
Uses two OIDC identity providers
-
Redirects unauthenticated clients to a WAYF endpoint, which has a Lua transformation rule attached.
-
Uses the Lua transformation rule to determine which provider clients are sent to.
Example YAML
version: "26.06.0"
identity:
#
# We configure two OIDC identity providers, named "primary" and "secondary".
#
oidc:
- name: primary
discovery_endpoint: https://primary.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
client_id: cea1e673-918e-42ce-b59f-3dda344def66
client_secret: EkQvEb3BBTufGZqA44zkUu9s
- name: secondary
discovery_endpoint: https://secondary.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
client_id: 4b987537-cd3f-487b-b852-10a5bb083385
client_secret: UbgG4HKwuJiaWBxXUnciMnbt
#
# When clients are challenged to authenticate, we want to send them to
# /wayf. This is an endpoint with a Lua HTTP transformation rule attached
# which will decide which OIDC provider the client is sent to.
#
auth_challenge_redirect:
url: /wayf
policies:
#
# Ensure our WAYF endpoint is accessible.
#
authorization:
- name: unauthenticated
methods:
- GET
paths:
- /wayf*
rule: anyuser
action: permit
#
# Attach our WAYF rule.
#
http_transformations:
postazn:
- name: wayf_endpoint
paths:
- /wayf*
method: "*"
rule: |
provider_name = "primary"
--[[
In this example, we are doing a very simple string comparison on
the client IP address to work out if we want to redirect the
client to the "primary" or "secondary" provider.
]]--
pos, len = string.find(Client.getIPAddress(), "172.17.")
if pos == 1 then
provider_name = "secondary"
end
HTTPResponse.setStatusCode(302)
HTTPResponse.setHeader("location", "/pkmsoidc?iss=" .. provider_name)
Control.responseGenerated(true)