Does Nginx open source support OpenID and JWT

Question

I have a basic Nginx docker image, acting as a reverse-proxy, that currently uses basic authentication sitting in front of my application server. I'm looking for a way to integrate it with our SSO solution in development that uses JWT, but all of the documentation says it requires Nginx+. So, is it possible to do JWT validation inside of open-sourced Nginx, or do I need the paid version?

Answer 1

based on this gist https://gist.github.com/abbaspour/af8dff3b297b0fcc6ba7c625c2d7c0a3

here's how I did it in a dockerfile ( based on buster-slim )

FROM python:3.9-slim as base

FROM base as builder

ENV LANG en_GB.UTF-8 \
    LANGUAGE en_GB.UTF-8 \
    PYTHONUNBUFFERED=True \
    PYTHONIOENCODING=UTF-8

RUN apt-get update \
    && apt-get install --no-install-recommends --no-install-suggests -y \
    build-essential  \
    patch \
    git \
    wget \
    libssl-dev \
    libjwt-dev \
    libjansson-dev \
    libpcre3-dev \
    zlib1g-dev \
    && wget https://nginx.org/download/nginx-1.18.0.tar.gz \
    && tar -zxvf nginx-1.18.0.tar.gz \
    && git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module \
    && cd nginx-1.18.0  \
    && ./configure --add-module=../ngx-http-auth-jwt-module \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-ld-opt="-L/usr/local/opt/openssl/lib" \
    --with-cc-opt="-I/usr/local/opt/openssl/include" \
    && make


FROM base

COPY --from=builder /nginx-1.18.0/objs/nginx /usr/sbin/nginx
COPY --from=builder /nginx-1.18.0/conf /usr/local/nginx/conf

ENV LANG en_GB.UTF-8 \
    LANGUAGE en_GB.UTF-8 \
    PYTHONUNBUFFERED=True \
    PYTHONIOENCODING=UTF-8

RUN apt-get update && \
    apt-get install --no-install-recommends --no-install-suggests -y \
    libssl-dev \
    libjwt-dev \
    libjansson-dev \
    libpcre3-dev \
    zlib1g-dev

Answer 2

Given that you have a configuration set up without authentication, I found this and got it to work: https://hub.docker.com/r/tomsmithokta/nginx-oss-okta which is entirely based on the lua-resty-openidc as mentioned above. The fact that it was already built was helpful for me though.

First configure your Okta app in the Okta web GUI then fill in the proper fields that are not commented out in the NGINX example conf. The only caveat is to uncomment the redirect_uri and fill that in but instead comment out or remove the redirect_uri_path which is a deprecated field. All the other things in the config are parameters you can play with or just accept them as is.

By default it passes you onto a headers page but if you adjust the proxy_pass field you should be able to pass it to your app.

Answer 3

There's also lua-resty-openidc: https://github.com/zmartzone/lua-resty-openidc

lua-resty-openidc is a library for NGINX implementing the OpenID Connect Relying Party (RP) and/or the OAuth 2.0 Resource Server (RS) functionality.

When used as an OpenID Connect Relying Party it authenticates users against an OpenID Connect Provider using OpenID Connect Discovery and the Basic Client Profile (i.e. the Authorization Code flow). When used as an OAuth 2.0 Resource Server it can validate OAuth 2.0 Bearer Access Tokens against an Authorization Server or, in case a JSON Web Token is used for an Access Token, verification can happen against a pre-configured secret/key .

Answer 4

Sure, there are open source codes, which you can use and customize for your case (example).

IMHO there are better implementations, which you can use as an "auth proxy" in front of your application. My favorite is keycloak-gatekeeper (you can use it with any OpenID IdP, not only with the Keycloak), which can provide authentication, authorization, token encryption, refresh token implementation, small footprint, ...