ngx_sts_module's Introduction

ngx_sts_module

A security token exchange module for the NGINX web server which allows for exchanging arbitrary security tokens by calling into a remote Security Token Service (STS). For an overview and rationale see the Apache version of this module at: https://github.com/OpenIDC/mod_sts/blob/master/README.md.

Quickstart

WS-Trust STS with HTTP Basic authentication and setting the target token in a cookie.

       location /sts/wstrust {
        	STSExchange wstrust https://pingfed:9031/pf/sts.wst
				auth=basic&username=wstrust&password=2Federate&applies_to=urn:pingfed&value_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&token_type=urn:bogus:token&ssl_verify=false;

            STSVariables $source_token $wst_target_token;
            
            proxy_set_header Cookie STS_COOKIE=$wst_target_token;
            proxy_pass http://echo:8080$is_args$args;            
        }

OAuth 2.0 Resource Owner Password Credentials based Token Exchange with client_secret_basic authentication.

        location /sts/ropc {
			STSExchange ropc https://pingfed:9031/as/token.oauth2
				auth=client_secret_basic&client_id=sts0&client_secret=2Federate&username=dummy&ssl_verify=false;
            
            STSVariables $source_token $ropc_target_token;
            
            proxy_set_header Cookie STS_COOKIE=$ropc_target_token;
            proxy_pass http://echo:8080$is_args$args;            
        }

OAuth 2.0 Client Credentials based token retrieval with client_secret_basic authentication.

        location /sts/cc {        
			STSExchange cc https://keycloak:8443/realms/master/protocol/openid-connect/token
				auth=client_secret_basic&client_id=cc_client&client_secret=mysecret&ssl_verify=false;
          
            set $dummy_variable "notempty";
            STSVariables $dummy_variable $cc_target_token;
            
            proxy_set_header Authorization "bearer $cc_target_token";
            proxy_pass http://echo:8080$is_args$args;            
        }

OAuth 2.0 Token Exchange with client_secret_basic authentication.

        location /sts/otx {
			STSExchange otx https://keycloak:8443/auth/realms/master/protocol/openid-connect/token
				auth=client_secret_basic&client_id=otxclient&client_secret=2Federate&ssl_verify=false;

            STSVariables $source_token $otx_target_token;
            
            proxy_set_header Cookie STS_COOKIE=$otx_target_token;
            proxy_pass http://echo:8080$is_args$args;            
        }

Configuration

Source Token Retrieval

Cookie:

	map $http_cookie $sts_source_token {
		default "";
		"~*MyCookieName=(?<token>[^;]+)" "$token";
	}

Header:

	map $http_authorization $sts_source_token {
		default "";
		"~*^Bearer\s+(?<token>[\S]+)$" $token;
	}

Query:

	if ($args_token != "not found") {
		$sts_source_token = $args_token
	}

Post:

	# use form-input-nginx-module
	set_form_input $sts_source_token access_token;

Source Token Removal

Remove the source token from the incoming request so it is not proxied to the backend.

Cookie:

	set $new_cookie $http_cookie;
	if ($http_cookie ~ "(.*)(?:^|;)\s*source_token=[^;]+(.*)") {
		set $new_cookie $1$2;
	}
	proxy_set_header Cookie $new_cookie;

Header:

	proxy_set_header Authorization "";

Query:

	if ($args ~ (.*)source_token=[^&]*(.*)) {
		set $args $1$2;
	}
	# cleanup any repeated & introduced 
	if ($args ~ (.*)&&+(.*)) {
		set $args $1&$2;
	}
	# cleanup leading &
	if ($args ~ ^&(.*)) {
		set $args $1;
	}
	# cleanup ending &
	if ($args ~ (.*)&$) {
		set $args $1;
	}

Target Token

Environment: set the target token as a CGI environment variable e.g. for PHP applications:

	fastcgi_param STS_TOKEN $sts_target_token

Header: pass the target token in a header to the proxied backend:

	proxy_set_header Authorization "Bearer $sts_target_token"

Cookie: pass the target token to the backend with:

	proxy_set_header Cookie STS_COOKIE=$sts_target_token

Query: pass the target token in a query parameter to the proxied backend:

	set $sep "";
	if ($is_args) {
		set $sep "&";
	}
	set $args $args${sep}token=$sts_target_token;

Post: pass the target token in a POST parameter to the proxied backend:

	proxy_set_body $request_body&token=$sts_target_token;

Support

Community Support

For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/OpenIDC/ngx_sts_module/wiki
Any questions/issues should go to issues tracker.

Commercial Services

For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
[email protected]

Disclaimer

This software is open sourced by OpenIDC. For commercial support you can contact OpenIDC as described above in the Support section.

ngx_sts_module's People

Contributors

Stargazers

Watchers

ngx_sts_module's Issues

source_token

need more clarification on how to get $source_token. is there place we can see the full nginx.conf?

fails to build with nginx >= 1.26.0

Seems like nginx has refactored some headers starting from v1.23.0 and now I'm seeing this on 1.26.0

> libtool: compile:  gcc -DPACKAGE_NAME=\"ngx_sts_module\" -DPACKAGE_TARNAME=\"ngx_sts_module\" -DPACKAGE_VERSION=\"3.4.0\" "-DPACKAGE_STRING=\"ngx_sts_module 3.4.0\"" -DPACKAGE_BUGREPORT=\"[email protected]\" -DPACKAGE_URL=\"\" -DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -I. -Wall -Werror -fPIC -pipe -O -Wall -Wextra -Wpointer-arith -Wno-unused-parameter -Wno-deprecated-declarations -Wno-unused-function -Wno-ignored-qualifiers -I/nix/store/0bp9inq3wd4car25n60idlfics6fajjv-openssl-3.0.13-dev/include -I/nix/store/cnazciv4gza3ylaaa2yqfz9nivnqhlh4-curl-8.7.1-dev/include -I/nix/store/prvzqxmpqs5b017xwz4wjrcb2hn1ivv4-jansson-2.14/include -I/nix/store/j3bfzghwwf11kzg6l5giaid93iqbi9by-cjose-0.6.2.2/include -I/nix/store/3l39yw0vcgvscl2fwgdm9qhyqwvpg20n-pcre2-10.43-dev/include -I/nix/store/6r91iqjdcp3vgsdg0q9xll461skqpcav-libmemcached-1.0.18/include -I/nix/store/6fgmrpvapqy8samvalgvpzbpfwvwan54-liboauth2/include -I/nix/store/0bp9inq3wd4car25n60idlfics6fajjv-openssl-3.0.13-dev/include -I/nix/store/cnazciv4gza3ylaaa2yqfz9nivnqhlh4-curl-8.7.1-dev/include -I/nix/store/prvzqxmpqs5b017xwz4wjrcb2hn1ivv4-jansson-2.14/include -I/nix/store/j3bfzghwwf11kzg6l5giaid93iqbi9by-cjose-0.6.2.2/include -I/nix/store/3l39yw0vcgvscl2fwgdm9qhyqwvpg20n-pcre2-10.43-dev/include -I/nix/store/6r91iqjdcp3vgsdg0q9xll461skqpcav-libmemcached-1.0.18/include -I/nix/store/6fgmrpvapqy8samvalgvpzbpfwvwan54-liboauth2/include -Inginx/src/core -Inginx/src/event -Inginx/src/event/modules -Inginx/src/os/unix -Inginx/objs -Inginx/src/http -Inginx/src/http/v2 -Inginx/src/http/modules -I/nix/store/n07zr76pkcqi7ycmc5yihdjf5qm7rda1-libxml2-2.12.6-dev/include/libxml2 -I./src/liboauth2-sts/include -g -O2 -c src/ngx_sts_module.c  -fPIC -DPIC -o src/.libs/ngx_sts_module_la-ngx_sts_module.o
       > In file included from nginx/src/event/ngx_event.h:526,
       >                  from nginx/src/http/ngx_http_upstream.h:14,
       >                  from nginx/src/http/ngx_http.h:36,
       >                  from src/ngx_sts_module.c:27:
       > nginx/src/event/ngx_event_udp.h:46:27: error: field 'pkt6' has incomplete type
       >    46 |     struct in6_pktinfo    pkt6;
       >       |                           ^~~~
       > make: *** [Makefile:608: src/ngx_sts_module_la-ngx_sts_module.lo] Error 1

Recommend Projects

openidc / ngx_sts_module Goto Github PK