Currently I got it to work and I get the correct user when logging in.
I copied the code from previous post. The current master branch code for sunstone-server.rb L567 until the end of the block and replaced it with the one that comes from bullseye repo.
In my Reverse-proxy that does the authentication, the headers are set as following:
# Ansible managed
-- Set logging to INFO
local openidc = require("resty.openidc")
openidc.set_logging(nil, { DEBUG = ngx.INFO })
local opts = {
redirect_uri = "REDACTED/redirect_uri",
discovery = "REDACTED/.well-known/openid-configuration",
client_id = "REDACTED",
client_secret = "REDACTED",
introspection_endpoint_auth_method = "client_secret_basic",
redirect_uri_scheme = "https",
logout_path = "/logout",
redirect_after_logout_uri = "REDACTED",
redirect_after_logout_with_id_token_hint = true,
renew_access_token_on_expiry = true,
revoke_tokens_on_logout = true,
session_contents = {id_token=true}
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = openidc.authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.log(ngx.ERR, err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.set_header("X-AUTH-USERNAME", res.id_token.preferred_username)
ngx.req.set_header("Authorization", "Basic " .. res.id_token.preferred_username)
ngx.req.set_header("X-USER", res.id_token.sub)
The most important parts are the headers X-AUTH-USERNAME for REMOTE authenticaton method and the Authorization “Basic” for the ruby code that does matching for http_authorization.
I also have webauthn_avail = false as previously mentioned.