openidc / ngx_oauth2_module Goto Github PK
View Code? Open in Web Editor NEWOAuth 2.x Resource Server module for NGINX
License: GNU Affero General Public License v3.0
OAuth 2.x Resource Server module for NGINX
License: GNU Affero General Public License v3.0
First, thanks for these modules. I have some Apache servers which work flawlessly for months.
I have to port some of my traffic to nginx on RHEL9, so I'm testing the ngx-oauth2 module.
My lab setup is just the translated apache one :
location /protected {
OAuth2TokenVerify $source_token metadata https://cognito-idp.eu-west-1.amazonaws.com/XXX/.well-known/openid-configuration verify.iat=skip ;
add_header X-USER $jwt_username ;
OAuth2Claim sub $jwt_sub;
OAuth2Claim cognito:username $jwt_username;
OAuth2Claim email $jwt_email;
OAuth2Claim token_use $jwt_token_use;
proxy_pass ...
}
Test with token is fine
curl "rhel9-ci:8080/protected/?$RANDOM" -H "Authorization: bearer $TOKEN" -iI
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 17 Jun 2024 21:48:00 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Mon, 17 Jun 2024 17:43:16 GMT
Connection: keep-alive
ETag: "667075b4-f"
X-USER: mycognito.myuser
Accept-Ranges: bytes
However env variables keep set on next request, even without token
curl "rhel9-ci:8080/protected/?$RANDOM" -iI
HTTP/1.1 200 OK
...
X-USER: mycognito.myuser
In debug mode I can see this when no token provided
[debug] 15738#15738: *73 # ngx_oauth2_handler: ngx_http_complex_value ngx_source_token.len=0
[debug] 15738#15738: *73 # ngx_oauth2_handler: leave: -5
...
[debug] 15738#15738: *73 ngx_oauth2_claim_variable: cognito:username=xxxx
[debug] 15738#15738: *73 http script var: "xxxx"
So i suspect that some context is not freed between requests, and variables value are kept from one run to another.
Does someone have an hint ?
My env
Red Hat Enterprise Linux release 9.4 (Plow)
cjose-0.6.2.3-1.el9.x86_64
liboauth2-1.6.2-1.el9.x86_64
liboauth2-nginx-1.6.2-1.el9.x86_64
nginx-1.20.1-14.el9_2.1.x86_64
nginx-core-1.20.1-14.el9_2.1.x86_64
nginx-filesystem-1.20.1-14.el9_2.1.noarch
nginx-mod-oauth2-3.4.0-1.el9.x86_64
Hi,
I am trying to enable oauth2 for nginx proxy services. I have installed and configured nginx_oauth2_module using the below instructions. I have all the dependencies installed. After adding oAuth2 configurations in nginx.conf unable to restart the nginx service. I am getting below error. Please help me troubleshoot the issue.
https://github.com/OpenIDC/ngx_oauth2_module
nginx.conf:
location /oauth2/pingfed/introspect {
OAuth2TokenVerify $source_token introspect
https://pingfed:9031/as/introspect.oauth2
introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate;
OAuth2Claim sub $pfc_introspect_sub;
OAuth2Claim username $pfc_introspect_username;
OAuth2Claim active $pfc_introspect_active;
proxy_set_header OAUTH2_CLAIM_sub $pfc_introspect_sub;
proxy_set_header OAUTH2_CLAIM_username $pfc_introspect_username;
proxy_set_header OAUTH2_CLAIM_active $pfc_introspect_active;
proxy_pass http://echo:8080/headers$is_args$args;
}
Error:
[emerg] 1960146#1960146: dlsym() "/etc/nginx/modules/liboauth2.so", "ngx_modules" failed (/etc/nginx/modules/liboauth2.so: undefined symbol: ngx_modules) in /etc/nginx/nginx.conf:13
When starting up nginx built with the ngx_oauth2_module on 64-bit SPARC (niagara4) on Solaris 10 with gcc 5.5.0, nginx dumps core with a SIGBUS error:
Program terminated with signal SIGBUS, Bus error.
#0 0x0000000100166f54 in ngx_openidc_set_claim (cf=0xffffffff7ffff480,
cmd=0x1002efe70 <ngx_openidc_commands+336>, conf=0x100370380)
at /home/webops/myghadm/src/ngx_openidc_module-master/src/ngx_openidc_module.c:144
144 claim->name = oauth2_strndup((const char *)value[1].data, value[1].len);
As SPARC is sensitive to alignment issues, I expect that this is a platform-specific issue.
My OpenIDC config (redacted, from the server location section of a very generic nginx.conf) is attached at OpenIDC-Config.txt.
The stack trace from the core file is attached as gdb_ngx_core.txt.
I'm happy to provide any additional information on this issue, and any further assistance to help resolve this.
Thanks for taking a look!
is there way to support id token here?
Hans,
I'm trying to compile this module from source as the .deb packages are for a pretty older version of nginx (trying to install and use them on the default nginx docker container of bookworm gives an error regarding "version X instead of Y"). However, after fumbling about for days of trial and error I just can seem to get a .so file from following your workflow script in github or I get configure or make errors when trying to follow the official nginx documentation on compiling dynamic modules. Any help would be appreciated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.