Reputation: 11764
Nginx authentication using JWT and an external authentication server in a multi-tenant system
I am building a multi-tenant system fronted by Nginx.
I want all requests hitting Nginx to first be 'filtered' on whether they have a valid JWT. If not, there should be a 'call out' to an external authentication server which will do SAML/SSO and return a JWT or 'false'. If false, then a 401 is returned.
If there is a valid JWT, it needs to be interpreted and the tenant name extracted. Then, depending on the request path, the url/POST body will need to be modified to include the correct tenant (we are hitting an Elasticsearch and need to make sure that a tenant is only allowed to query their own indexes)
The Authentication server will be built in php, so what we need is just the 'filter' part and a valid way of calling the Auth server. Is there any off-the-shelf nginx module which will solve this requirement? Or is Lua my best bet here? I'm a relatively novice Nginx-er.
Upvotes: 4
Views: 11146
Answers (2)
Reputation: 19
There is much better and simpler JWT based authentication module for nginx. Highly configurable. https://github.com/tarachandverma/nginx-openidc
You can configure multiple relying parties. https://github.com/tarachandverma/nginx-openidc/blob/master/test-conf/oidc-config.xml#L12
<!-- relying parties configuration -->
<relyingParties default="282412598309-545pvmsh9r23f4k1o7267744s59sod6v.apps.googleusercontent.com">
<relyingParty clientID="282412598309-545pvmsh9r23f4k1o7267744s59sod6v.apps.googleusercontent.com" clientSecret="xxxxx" domain=".com" validateNonce="true">
<description>nginx oidc demo</description>
<redirectUri>http://ngx-oidc-demo.com/oauth2/callback</redirectUri>
</relyingParty>
</relyingParties>
Upvotes: 2
Reputation: 11
Use https://github.com/auth0/nginx-jwt, for me it was easier to install Openresty, since I didn't have that much time to install manually lua module on nginx, and all it's dependencies.
At https://github.com/auth0/nginx-jwt/blob/master/nginx-jwt.lua at the line 114 the library adds the sub to the header which should be an Id, you may change this if you need anything alse.
ngx.header["X-Auth-UserId"] = jwt_obj.payload.sub
Upvotes: 1
Related Questions
- NGINX JWT authentication validating specific JWT Claims (iss, aud etc)
- Issue in passport implementation in multi tenant laravel application
- Using JWT authentication across multiple microservices
- Scalable architecture for multi-tenant auth solution
- Ngnix plus as api gateway with JWT authorisation
- External authentication providers and authenticating requests to RESTful API
- JWT Token for distrubuted system running on multiple server instance
- Using JWT for anonymous and authenticated users
- How to handle server to server communication for a multi-tenant rest api?
- Angular, JWTs and 3rd party auth