Use nginx to add Authentication to any Application

Use nginx to add Authentication to any Application

This tutorial will show you how to use the nginx auth_request module to protect any application running behind your nginx server with OAuth, without writing any code!

kobi.s

Looks like a very cool solution, i tried it according to the instructions here but it always redirect the traffic to Github although i only left the okta config in the YML file .
Any thoughts ?

Gavin V

This is a great post.
One thing doesn’t make sense and took me some time to figure out
You have 2 domains stats.avocado.lol and login.avocado.lol. When i copied this configuration i noticed that the browser would not send the cookie when accessing stats.avocado.lol since it was acquired when accessing login.avocado.lol. This caused a JWT not found error in lasso and looped back to login endlessly. As i understand this would be cross site sharing of the cookie. I also believe that this is possible but would need further config not detailed in this article (set cookie: domain1 domain2 etc perhaps)…

Great article however and very much appreciate you time to share this.

Gavin V

Just to follow up, i managed to get this working by setting the cookie name in the config.yml to be the root domain. It will then allow the browser to submit the cookie when accessing all sub domains
cookie:
domain: avacado.lol

abhijeetkpawar

Is there any similar blog for Apache?

If not, it would be helpful if one is written.

Jasbir B

I like this idea. But I noticed that the details are out of date so it is hard to figure out how to get it working.

First, the “Create New Application” page is different now. It asks you to fill in different information than what is in the article.

Also, Lasso has been deprecated. You can try vouch-proxy instead, but the settings are different. So you have to combine the changes on the vouch-proxy github page with the changes above.

I tried to set them in a reasonable way, but it never redirected to the Okta login. Nothing in the logs either

krishnam

Hi @gavin_vickers:disqus - is it possible for you to share your config.yaml. I am having similar problem after authentication cookie is set, it goes into a loop. I tried the cookie: domain as you suggested but that is also not helping in my case. Anything on the ngnix conf that you have put to avoid this problem.

Dave B

Does this require API Access Management to be enabled on the Otka server? I’m getting “The requested feature is not enabled in this environment.” when I try to login from my app.
400: Bad Request
BAD REQUEST

Your request resulted in an error.
Go to Homepage
Identity Provider: Unknown
Error Code: server_error
Description: The requested feature is not enabled in this environment.

Matt Raible

Hello Dave,

I believe this is because you don’t have an Okta developer account. Orgs created through developer.okta.com have the default custom Authorization Server enabled. Free Trial workforce orgs do not, nor do Enterprise workforce orgs.

Dave B

Hi Matt,

actually it turns out there is a work around, https://support.okta.com/he… you just have to remove the /default from the oauth2 urls in the vouch config, and it seems to work. ( It moved my problem farther along anyway. )

Matt Raible

Yes, this is certainly an option if you don’t require an access token for a custom API and only need it for Okta resources.

Sam D. Lee

OAuth2 grant type client_credentials and password can be used for scenario, protecting company’s APIs from external access. I am wondering if Vouch can be used in this use case and whether the same settings for vounch in nginx.conf be used?

Rakesh

Hi @kobi_s i am also facing the same issue. Did u got any resolution.

Rakesh

Hi Team,
I am getting the below error after successful authentication.

{“level”:“error”,“ts"1594280010.3651514,“msg”:”/auth Error while retreiving user info after successful login at the OAuth provider: Post “https://dev-813551.okta.com…”: dial tcp: lookup dev-813551.okta.com on 10.65.0.33:67: no such host"}

dev-813551.okta.com is not reachable from my vouch-proxy server. if i have to access this then i have to use an outgoing proxy.

Please let me know how to set outgoing proxy in vouch server so that it can make request to my okta dev account.

Any help will be appreciated.

Regards,
Rajesh

Joseph Fitzgerald

Didn’t you run into problems with $request_uri not being urlencoded? If the original request contained “?” and “&” I think it would throw off your solution.

Matt Raible

I’m not sure how to do this as I’ve never used vouch-proxy server before. I’d suggest you ask this question on Stack Overflow so more Nginx experts see it.

aaronpk

The config file format has changed from what is described in this post, so make sure you’re following the instructions in the project’s readme!

aaronpk

Yes, if you need to handle URLs with a query string then you’ll have to URL encode that parameter using something like https://github.com/openrest…. This isn’t an issue for majority of my deployments.

suresh-rasa

Hi Aaron, Adding $auth_user satisfies authentication. How do I check this user has this role or group to access this application? Can Nginx pass role or group information to downstream applicationn, python (flask api’s), so the group or role can also be validated.

Andrzej Sydorko

Got the login part working but struggling with logging out. I’m seeing “/logout deleting session” in the vouch log but can still access the application/web page.