curityio / nginx_oauth_proxy_module Goto Github PK

When making a same origin GET request, the Origin header will not be sent by the client. However, because the module checks for the existence of that header, a 401 response is generated.

e.g. a GET request from a SPA at demo1.example.com/orders to an api endpoint at demo1.example.com/api/v1/orders will fail because the Origin header is not set.

Should the origin check be disabled for non-cors requests?

Using a docker image of nginx 1.21.3 on a Mac with an M1 chip we are unable to load the module. Error message:

nginx: [emerg] dlopen() "/etc/nginx/modules/ngx_curity_http_oauth_proxy_module.so" failed (/etc/nginx/modules/ngx_curity_http_oauth_proxy_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:7

The module itself is mounted to the correct location, so I assume it is a dependency that cannot be found.

Tried with amzn, amzn2 and Ubuntu modules. We've also previously tried an Alpine image with the Alpine module, but we've had issues with other Alpine images on M1 before so kind of expected that to fail.

Does the module need to be compiled specifically for machines with the M1 chip?

When writing the tutorial I saw this message in logs occasionally, during tests:

header already sent while reading response header from upstream

This occurs when routing to another location within NGINX during tests.
It seems the below add_header call should use default_type instead.

location /api {
        oauth_proxy on;
        oauth_proxy_cookie_name_prefix "example";
        oauth_proxy_encryption_key $ENCRYPTION_KEY;
        oauth_proxy_trusted_web_origin "https://www.example.com";
        oauth_proxy_cors_enabled on;

        proxy_pass http://localhost/mock-api;
    }

    location /mock-api {
        add_header "content-type" "application/json";
        return 200 '{"message": "API was called successfully with an access token"';
    }
}

This assumption that all modern browsers send Origin by default is not true.

As per MDN documentation of fetch API https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Quote:

Broadly speaking, user agents add the Origin request header to:

• cross origin requests.
• same-origin requests except for GET or HEAD requests (i.e. they are added to same-origin POST, OPTIONS, PUT, PATCH, and DELETE requests).

End Quote