[Linkset] Authorization termination: OAuth reverse proxy
UPDATE Today was released Nginx Plus with a new nginx-openid-connect module.
If you are looking for Authentication Server or OAuth library then OpenID Conect implementations page is a good place to start. I chose Keycloak but also want to look on FreeIPA or https://ipsilon-project.org
Keycloak Security Proxy but I want proxy as Nginx module and I need to implement something non standard.
Also there is some an OpenID/Keycloak Proxy service https://github.com/gambol99/keycloak-proxy
For Apache web server everything is clear:
https://github.com/zmartzone/mod_auth_openidc
But I need something for Nginx .
lua-resty-openidc and it’s intro blog post written in Lua so its easier to extend (so I did for implementing of custom grant flow+ sessions + reference tokens).
https://github.com/tarachandverma/nginx-openidc written fully in C++ and this is interesting because you don’t need to enable Lua on Nginx (believe me, this can be harmful).
What is also interesting is tha module for only one purpose: to use reference tokens (opaque tokens)
https://github.com/curityio/nginx_phantom_token_module it’s written in C so no needs for additional deps.
Authentication Based on Subrequest Result
Actually Nginx already has something that can satisfy 80% of your needs:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://www.nginx.com/blog/nginx-plus-authenticate-users/
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
https://github.com/nginxinc/nginx-ldap-auth
https://redbyte.eu/en/blog/using-the-nginx-auth-request-module/
https://news.ycombinator.com/item?id=7641148
But to use the sebrequest auth your auth server should support this or you need to setup another shim proxy:
https://github.com/bitly/oauth2_proxy
and here is docker container which integrates it https://github.com/sinnerschrader/oauth-proxy-nginx
Or you can use this one which is written in Lua
https://github.com/jirutka/ngx-oauth
Bonus:
Important article from Security researcher Egor Homakov who hacked several times GitHub and Facebook:
stokito on software 