CODEWITHSUNDEEP
authenticationnginx
Philipp Kyeck
Philipp Kyeck

Reputation: 18820

nginx auth_request: access original query parameter

I'm trying to figure out if it is possible to forward a query-parameter from the original URL to the auth_request handler/service?

Users should be able to add the API-token as a query-parameter like this: https://example.com/api/user?token=237263864823674238476

And not via header or cookie. Can I access the token parameter somehow in the auth-service? Or write the token query-parameter in a custom header with NGINX?
Tried this so far:

location = /api/user {
  auth_request /auth;
  proxy_set_header X-auth-token-from-query $arg_token;

  proxy_pass http://<url>;
}

/auth endpoint doesn't get the X-auth-token-from-query header but after returning a 200 the upstream-proxy does get the header.

Upvotes: 15

Views: 10258

Answers (3)

rem
rem

Reputation: 1388

My use case:

  • I serve a reverse proxied API on /api/
  • I have some other resource on /protected I want to secure using a check on /api/auth-check which requires passing a token query parameter

Inspired by the answer of user1955986 I parse $request_uri, but in stead of directly proxying it somewhere else I use it to set the $args parameter that gets passed on to the API endpoint:

location ^~ /api/ {
    ... your API config ...
}

location ^~ /protected/ {
    auth_request /auth-request;
    ... your protected resource config ...
}

location = /auth-request {
    internal;
    if ($request_uri ~* "[^\?]+\?(.*)$") {
        set $args $1;
    }
    rewrite ^.* /api/auth-check last;
}

Upvotes: 0

user1955986
user1955986

Reputation: 133

The following worked for me

        location = /auth {
          internal;
          set $query '';
          if ($request_uri ~* "[^\?]+\?(.*)$") {
              set $query $1;
          }
          proxy_pass                http://myauthpoint?$query;
          proxy_pass_request_body   off;
          proxy_set_header          Content-Length "";
        }

Upvotes: 12

Aron Woost
Aron Woost

Reputation: 20668

You'll very likely want to pass the url (the uri) to the auth-request endpoint as well. You can do this in one go:

location = /api/auth {
  proxy_set_header X-Original-URI $request_uri;
  proxy_set_header X-Original-METHOD $request_method;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";

  proxy_pass http://<url>;
}

Bonus: I also passed the method! :tada:

Upvotes: 20

Related Questions