curityio / nginx_oauth_proxy_module Goto Github PK
View Code? Open in Web Editor NEWNGINX module that decrypts secure cookies from Single Page Apps and forwards JWT access tokens to APIs
License: Apache License 2.0
NGINX module that decrypts secure cookies from Single Page Apps and forwards JWT access tokens to APIs
License: Apache License 2.0
When making a same origin GET request, the Origin
header will not be sent by the client. However, because the module checks for the existence of that header, a 401 response is generated.
e.g. a GET request from a SPA at demo1.example.com/orders
to an api endpoint at demo1.example.com/api/v1/orders
will fail because the Origin
header is not set.
Should the origin check be disabled for non-cors requests?
Using a docker image of nginx 1.21.3 on a Mac with an M1 chip we are unable to load the module. Error message:
nginx: [emerg] dlopen() "/etc/nginx/modules/ngx_curity_http_oauth_proxy_module.so" failed (/etc/nginx/modules/ngx_curity_http_oauth_proxy_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:7
The module itself is mounted to the correct location, so I assume it is a dependency that cannot be found.
Tried with amzn, amzn2 and Ubuntu modules. We've also previously tried an Alpine image with the Alpine module, but we've had issues with other Alpine images on M1 before so kind of expected that to fail.
Does the module need to be compiled specifically for machines with the M1 chip?
When writing the tutorial I saw this message in logs occasionally, during tests:
header already sent while reading response header from upstream
This occurs when routing to another location within NGINX during tests.
It seems the below add_header call should use default_type instead.
location /api {
oauth_proxy on;
oauth_proxy_cookie_name_prefix "example";
oauth_proxy_encryption_key $ENCRYPTION_KEY;
oauth_proxy_trusted_web_origin "https://www.example.com";
oauth_proxy_cors_enabled on;
proxy_pass http://localhost/mock-api;
}
location /mock-api {
add_header "content-type" "application/json";
return 200 '{"message": "API was called successfully with an access token"';
}
}
This assumption that all modern browsers send Origin by default is not true.
As per MDN documentation of fetch API https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
Quote:
Broadly speaking, user agents add the Origin request header to:
End Quote
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.