4

I am building a multi-tenant system fronted by Nginx.

I want all requests hitting Nginx to first be 'filtered' on whether they have a valid JWT. If not, there should be a 'call out' to an external authentication server which will do SAML/SSO and return a JWT or 'false'. If false, then a 401 is returned.

If there is a valid JWT, it needs to be interpreted and the tenant name extracted. Then, depending on the request path, the url/POST body will need to be modified to include the correct tenant (we are hitting an Elasticsearch and need to make sure that a tenant is only allowed to query their own indexes)

The Authentication server will be built in php, so what we need is just the 'filter' part and a valid way of calling the Auth server. Is there any off-the-shelf nginx module which will solve this requirement? Or is Lua my best bet here? I'm a relatively novice Nginx-er.

Improve this question

2 Answers 2

Reset to default
2

There is much better and simpler JWT based authentication module for nginx. Highly configurable. https://github.com/tarachandverma/nginx-openidc

You can configure multiple relying parties. https://github.com/tarachandverma/nginx-openidc/blob/master/test-conf/oidc-config.xml#L12

<!-- relying parties configuration -->
 <relyingParties default="282412598309-545pvmsh9r23f4k1o7267744s59sod6v.apps.googleusercontent.com">
    <relyingParty clientID="282412598309-545pvmsh9r23f4k1o7267744s59sod6v.apps.googleusercontent.com" clientSecret="xxxxx" domain=".com" validateNonce="true">
        <description>nginx oidc demo</description>
        <redirectUri>http://ngx-oidc-demo.com/oauth2/callback</redirectUri>
    </relyingParty>
 </relyingParties>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Please do not post link only answers, as the link may break. Take the relevant content from the link and post it here.
1

Use https://github.com/auth0/nginx-jwt, for me it was easier to install Openresty, since I didn't have that much time to install manually lua module on nginx, and all it's dependencies.

At https://github.com/auth0/nginx-jwt/blob/master/nginx-jwt.lua at the line 114 the library adds the sub to the header which should be an Id, you may change this if you need anything alse.

ngx.header["X-Auth-UserId"] = jwt_obj.payload.sub

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.