Comments (8)
Oh wow, that fixed it. Thanks so much. I needed the block you suggested in the location / block
location / {
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
proxy_pass http://ds;
proxy_set_header X-User $auth_resp_x_lasso_user;
proxy_set_header X-test mytest;
}
from vouch-proxy.
I've run into similar issues and it appears to be related to the scope of the variables in the nginx location
blocks.
could you try copying
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
into the location /
block just before the proxy_set_header
directives?
from vouch-proxy.
Did you configure the generic OIDC provider in the Lasso config? Make sure the user info URL is set there: https://github.com/LassoProject/lasso/blob/master/config/config.yml_example#L80
Also make sure that this bit is set up as well: https://developer.okta.com/blog/2018/08/28/nginx-auth-request#bonus-who-logged-in
from vouch-proxy.
Thanks for getting back to me.
Here's how I have lasso configured:
oauth:
# configure only one of the following
# Generic OpenID Connect
provider: oidc
client_id: XXX
client_secret: YYYY
auth_url: https://1111.oktapreview.com/oauth2/default/v1/authorize
token_url: https://1111.oktapreview.com/oauth2/default/v1/token
user_info_url: https://1111.oktapreview.com/oauth2/default/v1/userinfo
scopes:
- openid
- email
- profile
callback_url: https://myhost:9090/auth
That all works- I can successfully authenticate. It's this part which seems to not have any effect:
auth_request_set $auth_user $upstream_http_x_lasso_user;
here's my nginx config:
upstream ds {
server 10.80.9.11:9999;
}
server {
listen 9090 ssl;
server_name myserver;
ssl_certificate /data/keys/myserver.crt;
ssl_certificate_key /data/keys/myserver.key;
location / {
proxy_set_header Host myserver;
proxy_pass http://127.0.0.1:9091;
}
}
server {
listen 443 ssl;
server_name myserver;
ssl_certificate /data/keys/myserver.crt;
ssl_certificate_key /data/keys/myserver.key;
add_header Strict-Transport-Security max-age=2592000;
# Any request to this server will first be sent to this URL
auth_request /validate;
location = /validate {
# This address is where Lasso will be listening on
proxy_pass https://myserver:9090;
proxy_pass_request_body off; # no need to send the POST body
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# these return values are passed to the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
}
error_page 401 = @error401;
# If the user is not logged in, redirect them to Lasso's login URL
location @error401 {
return 302 https://myserver:9090/login?url=https://$http_host$request_uri&lasso-failcount=$auth_resp_failcount&X-Lasso-Token=$auth_resp_jwt&error=$auth_resp_err;
}
location / {
proxy_pass http://ds;
proxy_set_header X-Lasso-User $auth_resp_x_lasso_user;
proxy_set_header X-test mytest;
}
}
My x-test header gets through fine. But I see no X-Lasso-User in the proxied server, hence my fear that $auth_resp_x_lasso_user isn't populated.
from vouch-proxy.
to verify that the X-Lasso-User
header is being set you can browse directly to https://myserver:9090/validate after having logged in once
from vouch-proxy.
So glad that worked, feels like an nginx
quirk that should be better documented. My suspicion is that any variables set in a block below /
(such as /validate
in this case ) are not available to other locations that are above it. However why it works for the @error401
case doesn't seem to be consistent with that notion. Perhaps there's a bug in the overall data structure that the location
directives get interpreted into at runtime.
from vouch-proxy.
Out of interest: Are there other pieces of information (last name etc) that lasso surfaces back into nginx that we can pass on upstream in headers?
from vouch-proxy.
from vouch-proxy.
Related Issues (20)
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
- Whitelist IP CIDRs? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.