Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nginx AAI + user details
# When additional headers need to be forwarded into upstream than lua nginx module should be used.
# The simplest way to have lua support in nginx is to use openresty (https://openresty.org/en/).
# After sources are downloaded and extracted from the archive we can compile openresty
# (or nginx with `lua`, `cjson` and `http_ssl` modules can be compiled):
./configure --prefix=/home/marek/epos/openresty --with-http_ssl_module
make
make install
# We will use:
# * nginx proxypass to invoke authorization endpoint
# * lua to parse authorization response and set required headers
http {
...
upstream api {
server 127.0.0.1:8083;
}
server {
listen 8081;
server_name localhost;
location / {
access_by_lua_block {
local res = ngx.location.capture("/auth")
if res.status == 200 then
local cjson = require("cjson")
local value = cjson.decode(res.body)
ngx.req.set_header("X-Auth-UserId", value["sub"])
ngx.req.set_header("X-Auth-Scope", value["scope"])
else
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
}
proxy_pass http://api;
}
location = /auth {
internal;
proxy_pass https://epos-aai.cyfronet.pl/oauth2/tokeninfo;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment