Last active
February 20, 2018 19:45
-
-
Save mkasztelnik/58bd89d348a8a28d7802d3eed4137768 to your computer and use it in GitHub Desktop.
nginx AAI + user details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# When additional headers need to be forwarded into upstream than lua nginx module should be used. | |
# The simplest way to have lua support in nginx is to use openresty (https://openresty.org/en/). | |
# After sources are downloaded and extracted from the archive we can compile openresty | |
# (or nginx with `lua`, `cjson` and `http_ssl` modules can be compiled): | |
./configure --prefix=/home/marek/epos/openresty --with-http_ssl_module | |
make | |
make install |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# We will use: | |
# * nginx proxypass to invoke authorization endpoint | |
# * lua to parse authorization response and set required headers | |
http { | |
... | |
upstream api { | |
server 127.0.0.1:8083; | |
} | |
server { | |
listen 8081; | |
server_name localhost; | |
location / { | |
access_by_lua_block { | |
local res = ngx.location.capture("/auth") | |
if res.status == 200 then | |
local cjson = require("cjson") | |
local value = cjson.decode(res.body) | |
ngx.req.set_header("X-Auth-UserId", value["sub"]) | |
ngx.req.set_header("X-Auth-Scope", value["scope"]) | |
else | |
ngx.exit(ngx.HTTP_UNAUTHORIZED) | |
end | |
} | |
proxy_pass http://api; | |
} | |
location = /auth { | |
internal; | |
proxy_pass https://epos-aai.cyfronet.pl/oauth2/tokeninfo; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment