This is a full example for running an oauth2-proxy covered by a nginx as reverse proxy,
using the auth_request
parameter in combination with a required role to mach a location.
See oauth2-proxy/oauth2-proxy#1614 for discussion.
Suppose we have Location (A) that should allow access only to users having role roleA
location ^~ /roleAOnly/ {
auth_request /oauth2/auth/rolea;
error_page 401 = /oauth2/sign_in;
auth_request_set $user $upstream_http_x_auth_request_user;
proxy_pass http://guacamole-guacamole:8080;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
(Remark) auth_request
does not accept query parameters, thus we are cloaking the role roleA
as part of the url.
Here is the customized oauth2/auth
location matching the url and extracting it as
query parameter to pass to oauth2-proxy:
location ~ ^/oauth2/auth/(.*)$ {
internal;
resolver 127.0.0.11 valid=30s ipv6=off;
set $upstream_oauth2_proxy http://oauth2-proxy:4180;
set $args $args&allowed_groups=role:$1;
rewrite ^/oauth2/auth/(.*)$ /oauth2/auth break;
proxy_pass $upstream_oauth2_proxy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
With set $args
we are extracting the role and embedding it into $args&allowed_groups=role:$1
to pass to the proxy backend. The following rewrite
rule does remove the /roleA
part to
continue with the rest as expected.
thanks! this is great, especially with your workaround for https://trac.nginx.org/nginx/ticket/761