haproxytech / haproxy-lua-oauth Goto Github PK
View Code? Open in Web Editor NEWJWT Validation implementation for HAProxy Lua host
License: Apache License 2.0
JWT Validation implementation for HAProxy Lua host
License: Apache License 2.0
I was using HMAC512 to verify the JWT token. Therefore I did not set the env variable OAUTH_PUBKEY_PATH. The script fails when loaded as seen in the following error message:
runtime error: '/usr/local/share/lua/5.3/jwtverify.lua:81: attempt to concatenate a nil value (local 'file')' from /usr/local/share/lua/5.3/jwtverify.lua:81: in upvalue 'readAll', /usr/local/share/lua/5.3/jwtverify.lua:273: in function line 267
It fails in the readAll method as it tries to concatenate the file name for a logging message. The logging message isn't the sole problem but rather the general assumption in the script, that this env variable is set to anything.
Hi,
Is it possible to return a h2 response inside 'register_service'?
i have a grpc client calling haproxy that forwards the request to a backend grpc server.
all works fine.
if for some reason i want to deny the request, the deny directive doesnt give the grpc client much info what went wrong. how do i provide more info? (currently setting headers in a service)
this doesnot work:
http-request deny deny_status 429 content-type text/plain lf-string "too_many_requests"
i was hoping i could construct a h2 response from inside a service?
something like...
local protobuf = require('protobuf')
local input = { code = "403", message = "denied" }
local message = pb.encode('api.v1.status', input)
local data = "\x00"..message
applet:add_header("content-type", "application/grpc+proto")
applet:start_response()
applet:send([headers])
applet:send("data ")
Hello,
I would like to thank you for this great opensource project, it helped me a lot.
I'm experiencing the same issue as #31 but using example with Docker Compose:
haproxy-lua-oauth-haproxy-1 | [NOTICE] (1) : haproxy version is 2.6.15-446b02c
haproxy-lua-oauth-haproxy-1 | [NOTICE] (1) : path to executable is /usr/local/sbin/haproxy
haproxy-lua-oauth-haproxy-1 | [ALERT] (1) : config : parsing [/usr/local/etc/haproxy/haproxy.cfg:8] : Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.3/_openssl.so':
haproxy-lua-oauth-haproxy-1 | /usr/local/lib/lua/5.3/_openssl.so: undefined symbol: lua_newuserdata
Using Centos 8.2.2004
When installing using ./install.sh luajwt the following error is generated during luaossl installation
/usr/src/luaossl-master/src/openssl.c:12146:5: note: in expansion of macro ‘EVP_KDF_HKDF_MODE_EXPAND_ONLY’
EVP_KDF_HKDF_MODE_EXPAND_ONLY,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [/usr/src/luaossl-master/src/GNUmakefile:63: /usr/src/luaossl-master/src/5.3/openssl.o] Error 1
I believe this is related to https://github.com/wahern/luaossl/issues/175 but I don't understand how to fix the installer so that the install completes.
[WARNING] 047/022214 (7) : parsing [/opt/haproxy-lua-oauth/haproxy-example.cfg:49]: Missing LF on last line, file might have been truncated at position 34. This will become a hard error in HAProxy 2.3.
Hi,
First of all thanks for this project, and the excellent documentation. We're trying to use keycloak with this setup, and are having problems because of the default signing algorithm:
[debug] 328/151714 (32616) : RS256 supported. Incorrect alg in JWT: HS256
[debug] 328/151714 (32616) : Algorithm not valid.
[debug] 328/151714 (32616) : req.authorized = false
Would it be possible to support HS256 ?
haproxy -v
HA-Proxy version 1.6.0 2015/10/13
Copyright 2000-2015 Willy Tarreau [email protected]
lua -v
Lua 5.3.3 Copyright (C) 1994-2016 Lua.org, PUC-Rio
whereis lua
lua: /usr/bin/lua /usr/lib64/lua /usr/local/bin/lua /usr/local/lib/lua /usr/share/lua /usr/share/man/man1/lua.1.gz
echo $LUA_PATH
/usr/local/bin/lua;;
echo $LUA_CPATH
./?.so;/usr/local/lib/lua/5.3/?.so;/usr/local/share/lua/5.3/?.so;/usr/local/bin/lua
haproxy -c -f haproxy1.cfg
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:3] : lua runtime error: error loading module 'json' from file '/usr/local/bin/lua':
/usr/local/bin/lua:1: unexpected symbol near '<\127>'
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:7] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:10] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:13] : unknown keyword 'setenv' in 'global' section
[ALERT] 112/115434 (1758) : parsing [haproxy1.cfg:30]: 'http-request' expects 'allow', 'deny', 'auth', 'redirect', 'tarpit', 'add-header', 'set-header', 'replace-header', 'replace-value', 'set-nice', 'set-tos', 'set-mark', 'set-log-level', 'add-acl', 'del-acl', 'del-map', 'set-map', 'set-src', 'sc-inc-gpc0()', 'sc-set-gpt0()', 'capture', 'set-method', 'set-path', 'set-query', 'set-uri', 'silent-drop', 'use-service', 'set-var(*)', but got 'lua.jwtverify'.
[ALERT] 112/115434 (1758) : Error(s) found in configuration file : haproxy1.cfg
haproxy1.cfg is the same file the haproxy-example.cfg of the repository.
I am trying to install this on Amzon linux
Hello
following the installation instructions I am trying to install the haproxy and the luasocket.
I did sudo ./install.sh luaoauth
and it errored out saying:
[+] Installing haproxy-lua-oauth dependencies |In file included from luasocket.c:15:0: luasocket.h:27:10: fatal error: lua.h: No such file or directory #include "lua.h" ^~~~~~~ compilation terminated.
Hello
I'm struggling to get Haproxy-lua-oauth working with Centos 7.
I have fixed install.sh to provide dependences.
But haproxy won't run anyways:
[ALERT] 184/181506 (969) : parsing [/etc/haproxy/haproxy.conf:10] : Lua runtime error: error loading module 'mime.core' from file '/usr/local/lib/lua/5.3/mime/core.so':
/usr/local/lib/lua/5.3/mime/core.so: undefined symbol: luaL_prepbuffer
and then http-request won't take lua.jwtverify
HA-Proxy version 2.3.2-d522db7
Is there a way to get it working with Centos 7?
I use haproxy with only JWT verify without OAuth, so i have no OAUTH_PUBKEY_PATH to configure, it will cause exception when initialize the config.
To workaround this issue, i must config a valid OAUTH_PUBKEY_PATH !
just a minor gripe: if an unexpected argument is passed to install.sh it results in this error:
./install.sh: line 164: print_help: command not found
as there is no print_help function
Hi,
I got the following error:
Best regards,
Ivan Adamov
Hi team, as said by in issue #11, thanks for this great job and associated documentation.
I was wondering if there is any chance you also add support for HS512 ?
thanks
Hi it seems that there is an issue with the install.sh
due to a commit last month:
Using DEBIAN:2.8.2-debian-11-r10 @yaronr
#0 0.305 Cloning into 'haproxy-lua-oauth'...
#0 1.382 Debian based system detected
#0 1.382 false
#0 1.382 Debian based system detected
#0 1.383 ./install.sh: 37: Bad substitution
Hello!
Can you please add instructions on how to configure example for HS256?
Should OAUTH_HMAC_SECRET environment variable be set to the same public key that was generated in Auth0?
Since the public key of the token is assigned in the 'global' section, using multiple different tokens (from different authentication servers) seems impossible. However, it may be necessary.
For example, we have a cluster of three Haproxy+Keepalived load balancers. When everything is ok each load balancer serves as an API gateway for one environment - dev, test, or production. But if one of the load balancers fails, its virtual IP address switches to the next one, and - since it has the same configuration as the failed one - it starts serving two environments instead of one.
However, the REST API of each environment is protected by its own token, meaning the public key in OAUTH_PUBKEY_PATH is different for each environment. And this variable is specified in the 'global' section, so there cannot be multiple of them. Hence, our cluster scheme with JWT is not applicable. Can't we embed these parameters in the 'frontend' section instead?
HAproxy v2.4 is getting Lua Runtime Error
Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.4/_openssl.so':
/usr/local/lib/lua/5.4/_openssl.so: undefined symbol: lua_setuservalue
The same setup is working fine with HAproxy 1.9.1
I saw that you switched the licence from GPLv2 to the Apache License 2.0 recently https://github.com/haproxytech/haproxy-lua-jwt/blob/master/LICENSE. But your code there https://github.com/haproxytech/haproxy-lua-jwt/blob/master/lib/jwtverify.lua still references GPLv2, so I'm wondering which one I should use for my work based on this repo not void one or the other.
Hello,
First I would like to thank you for this great opensource project, it helped me a lot.
I am creating a new authentication module for Prosody, all lua-jwt functions are working as expected. but when I try to validate the token signature I am getting errors.
I am pasting everything below, what I am missing here??
PLEASE HELP !!
JWT TOKEN
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJrUXhPVEk0UmpJMU1FRXhSREpDTVRoQ1F6WXlPRVk1UlVNNU1UZ3pNamt6UkRZeU16aEZRUSJ9.eyJpc3MiOiJodHRwczovL2x5YW1yYS5hdXRoMC5jb20vIiwic3ViIjoieTZzdEQxUHFqTE9aTDhxMVh1VmFxNkNPZTJ1QUpDblBAY2xpZW50cyIsImF1ZCI6Im15and0LWFwaSIsImlhdCI6MTYwMTIzMjU5NCwiZXhwIjoxNjAxMzE4OTk0LCJhenAiOiJ5NnN0RDFQcWpMT1pMOHExWHVWYXE2Q09lMnVBSkNuUCIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.oKFlhC1uIzKucxFNSJIIIMGAIXFvLsaOgFoqxrIGT4S_j_Wym0lBgUIVFFxpXDsXPg1o6y1g4dQP0xwlVqezXp5GXt6eZa3HHUlzQiMHBBVTFEyqmUSETXRBfBlyzAh-C5H4XwfQ5ySFJ46m8LiIPtU5lezlIIsBvAjk-IYjs0q3wLQpyEk0QtfkOKekdWV_r6U5vI06OTXJZh077ud9YXwZ2sL1890u16fH8Gz_rBO9PjKhtf2C0IUs0_sIw1ja6dzttI4fELlGwNdvYEO1R5NZd8juyttJb0BfQ3BD3f0Y0MI0gIorkHZkDCEH-1g7F77DIR-hgSBUv7HlzCDexQ
mycert.pm
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJNMP7yqiyHYHIMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEGx5YW1yYS5hdXRoMC5jb20wHhcNMTkwNjI1MTUzNzA1WhcNMzMwMzAzMTUz
NzA1WjAbMRkwFwYDVQQDExBseWFtcmEuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH6hSYvKEkijVHir3c7c6I
WsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3nP1XDPimP+L6fwLQArCD
u7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4BMcQqEKEKeD1tUNdG55K
75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgiKKMBAx76clEbaHJRnRV2
CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WWkrS9S4+7DAaq8rV3C1VF
kXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOTJwIDAQABo0IwQDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQuwEFJQWuBCbL6IF7a3WkLhekwwzAOBgNV
HQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAFOP/iwFTUayUtcIBNZR4zTj
V7+OdfTrJtswgBYqzdp1OAL63K8iAjtVDFhIIINEMcoVz2ESNOGjHxeFhwxYRVD3
CibZWZrV1TJ3TfbZNyBAojQJNJmqE4/hfXZriYutEdt9sJb+jyr2jk/aGSgLsr4F
MHnKaseVjgf6SvFsX/9AnHDwIeH9e1Z/4ayBnGNRErW+XOX/CqcRc7LzKrReGf/B
D/oHJoiEZew7ZW+NzOPSulwrdF2fLHOlBw56rhJjXxqdMoRgl1+i0P7DvOyEXiB0
sfmqtJjw94iCGw9xL50y0V90eOo0oJFQVlXLCxfXRPFP3oAmThKTWFu7o8czk5A=
-----END CERTIFICATE-----
after penssl x509 -pubkey -noout -in ./mycert.pem > pubkey.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH
6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3
nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4
BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi
KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW
krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT
JwIDAQAB
-----END PUBLIC KEY-----
DECLARATION IN MUY LUA CODE [PLEASE NOTE THAT I AM USING cjson, json library is throwing many errors]
local config = {
publicKey = [[-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH
6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3
nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4
BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi
KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW
krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT
JwIDAQAB
-----END PUBLIC KEY-----]],
issuer = 'https://lyamra.auth0.com/',
audience = 'myjwt-api'
}
local json = require 'cjson'
local base64 = require 'modules.mod_auth_auth0.base64'
local openssl = {
pkey = require 'openssl.pkey',
digest = require 'openssl.digest',
x509 = require 'openssl.x509'
}
local function signatureIsValid(token, publicKey)
local digest = openssl.digest.new('SHA256')
digest:update(token.header .. '.' .. token.payload)
local vkey = openssl.pkey.new(publicKey)
local isVerified = vkey:verify(token.signaturedecoded, digest)
return isVerified
end
ERROR
Sep 27 14:29:09 c2s562ec904ed80 error Traceback[c2s]: pkey.new: tasn_dec.c:1130:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
stack traceback:
[C]: in function 'new'
/usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:137: in function 'signatureIsValid'
/usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:183: in function </usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:163>
(...tail calls...)
/usr/lib/prosody/modules/mod_auth_auth0/mod_auth_auth0.lua:45: in function 'plain_test'
/usr/lib/prosody/util/sasl/plain.lua:75: in function </usr/lib/prosody/util/sasl/plain.lua:39>
(...tail calls...)
/usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66>
(...tail calls...)
/usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
(...tail calls...)
/usr/lib/prosody/core/stanza_router.lua:142: in function 'core_process_stanza'
/usr/lib/prosody/modules/mod_c2s.lua:275: in function 'func'
/usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>
Thanks for this great addition, is it possible to have an option (config.debug via env variable) to enable the log messages in the script? At the moment when HAProxy rejects a request due to invalid issuer/audience etc i cannot determine the root cause of the rejection, at least HAProxy does not provide enough info.
Thank you!
Hi there,
I wanted to install your package on my haproxy which is running on my pfsense, I was wondering if you have done so before and if you perhaps have some install instructions for me?
Hi there
I'ld like to replace our basic auth by a Google based OAuth. This look like the way to go, but I'm a bit lost adapting the Auth0 based explanations to Google's auth stuff. So in case you tried it, mind sharing notes about it ? That would also make a fine documentation with some polish :)
Best regards,
Hello
I'm experiencing an issue after haproxy update to latest stable LTS version.
haproxy 2.6.2-16a3646 compiled with lua support
[ALERT] (20995) : config : parsing [/etc/haproxy//00-global.cfg:10] : Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.3/_openssl.so':
/usr/local/lib/lua/5.3/_openssl.so: undefined symbol: lua_setuservalue
I've tried to reinstall haproxy-lua-oauth using luaossl:rel-20220711 with no luck.
Is there something I can do? This is a latest LTS branch of Haproxy, so I'd think haproxy-lua-oauth should work fine...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.