nginx_token_validation_rules.conf

#user nobody;
worker_processes 1;

error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    # Lua packages installed at nginx directory inside openrestly
    lua_package_path "$prefix/resty_modules/lualib/?.lua;;";
    lua_package_cpath "$prefix/resty_modules/lualib/?.so;;";

    resolver 8.8.8.8;

    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    lua_ssl_verify_depth 5;

    # cache for JWT verification results
    lua_shared_dict introspection 10m;


    server {
        listen       8080;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }


        location /api {

	      access_by_lua '

	          local opts = {
			-- signature for kid
			secret = [[-----BEGIN CERTIFICATE-----
                        -----END CERTIFICATE-----]],

			-- For validating bearer access token against pingfed server
			-- introspection_endpoint="",
             		-- client_id="test123",
             		-- ssl_verify = "no",
	        }

	        -- call bearer_jwt_verify for OAuth 2.0 JWT validation
	        local res, err = require("resty.openidc").bearer_jwt_verify(opts)

            -- call introspect for OAuth 2.0 Bearer Access Token validation
          	-- local res, err = require("resty.openidc").introspect(opts)

	        if err or not res then
	            ngx.status = 403
	            ngx.say(err and err or "no access_token provided")
	            ngx.exit(ngx.HTTP_FORBIDDEN)
	        end

	          -- at this point res is a Lua table that represents the JSON
	          -- payload in the JWT token

            -- need a logic to loop over scope if it is an array value
            if res.scope[1] ~= "<scope name>" then
        		ngx.log(ngx.ERR, "required scope not found")
        		ngx.log(ngx.ERR, tostring(res.scope[1]))
                ngx.exit(ngx.HTTP_FORBIDDEN)
	        end

            if res.client_id ~= "<client id>" then
                ngx.log(ngx.ERR, "required scope not found")
                ngx.exit(ngx.HTTP_FORBIDDEN)
            end
	      ';
		
	       rewrite /api$ / break;
	       proxy_pass <IP address>;
	    }


        error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
}