{"id":15683428,"url":"https://github.com/sorah/nginx_omniauth_adapter","last_synced_at":"2025-10-07T07:46:17.266Z","repository":{"id":45383200,"uuid":"41696884","full_name":"sorah/nginx_omniauth_adapter","owner":"sorah","description":"Use omniauth for nginx auth_request","archived":false,"fork":false,"pushed_at":"2023-04-24T13:29:26.000Z","size":69,"stargazers_count":68,"open_issues_count":0,"forks_count":9,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-14T13:20:03.898Z","etag":null,"topics":["authentication","nginx","omniauth","rack","security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sorah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-08-31T19:46:04.000Z","updated_at":"2025-03-17T13:20:37.000Z","dependencies_parsed_at":"2024-11-15T03:30:35.723Z","dependency_job_id":"bd685e9b-252f-4b6a-82b9-b5ad29d27977","html_url":"https://github.com/sorah/nginx_omniauth_adapter","commit_stats":{"total_commits":58,"total_committers":4,"mean_commits":14.5,"dds":0.06896551724137934,"last_synced_commit":"40c77d16f4b774114b93fb37abc75ef7b093fece"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/sorah/nginx_omniauth_adapter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fnginx_omniauth_adapter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fnginx_omniauth_adapter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fnginx_omniauth_adapter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fnginx_omniauth_adapter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sorah","download_url":"https://codeload.github.com/sorah/nginx_omniauth_adapter/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sorah%2Fnginx_omniauth_adapter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278740816,"owners_count":26037480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","nginx","omniauth","rack","security"],"created_at":"2024-10-03T17:05:17.592Z","updated_at":"2025-10-07T07:46:17.241Z","avatar_url":"https://github.com/sorah.png","language":"Ruby","readme":"# NginxOmniauthAdapter - Use omniauth for nginx `auth_request` \n\n[![ci](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml/badge.svg)](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml)\n\nUse [omniauth](https://github.com/intridea/omniauth) for your nginx's authentication via ngx_http_auth_request_module.\n\nNginxOmniauthAdapter provides small Rack app (built with Sinatra) for `auth_request`.\n\n## Prerequisite\n\n- nginx with ngx_http_auth_request_module\n\n## Quick example\n\n```\n$ bundle install\n\n$ cd example/\n$ foreman start\n```\n\nhttp://ngx-auth-test.lo.nkmiusercontent.com:18080/\n\n(make sure to have nginx on your PATH)\n\n## Usage\n\n### Steps\n\n1. Start adapter app with proper configuration\n2. enable `auth_request` and add some endpoints on nginx\n  - See `example/nginx-site.conf` for nginx configuration.\n\n### Running with Rubygems\n\n```ruby\n# Gemfile\ngem 'nginx_omniauth_adapter'\n```\n\nThen write `config.ru` then deploy it. (see ./config.ru for example)\n\n### Using docker\n\n- Prebuilt: https://quay.io/repository/sorah/nginx_omniauth_adapter\n  - Own your risk.\n  - They're built at circleci\n- Build manually: checkout this repo and run `docker build .`.\n  - Much safer.\n  - But if you can't trust upstream image `quay.io/sorah/rbenv:2.2`, write your own Dockerfile. This is just a simple Rack app.\n\n## Configuration\n\nenvironment variable is available only on included config.ru (or Docker image).\n\n- `:providers`: omniauth provider names.\n- `:provider_http_header` `$NGX_OMNIAUTH_PROVIDER_HTTP_HEADER` (string): Name of HTTP header to specify OmniAuth provider to be used (see below). Defaults to 'x-ngx-omniauth-provider`.\n- `:secret` `$NGX_OMNIAUTH_SESSION_SECRET`: Rack session secret. Should be set when not on dev mode\n- `:host` `$NGX_OMNIAUTH_HOST`: URL of adapter. This is used for redirection. Should include protocol (e.g. `http://example.com`.)\n  - If this is not specified, adapter will perform redirect using given `Host` header.\n- `:allowed_app_callback_url` `$NGX_OMNIAUTH_ALLOWED_APP_CALLBACK_URL` (regexp): If specified, URL only matches to this are allowed for app callback url.\n- `:allowed_back_to_url` `$NGX_OMNIAUTH_ALLOWED_BACK_TO_URL` (regexp): If specified, URL only matches to this are allowed for back_to url.\n- `:app_refresh_interval` `NGX_OMNIAUTH_APP_REFRESH_INTERVAL` (integer): Interval to require refresh session cookie on app domain (in second, default 1 day).\n- `:adapter_refresh_interval` `NGX_OMNIAUTH_ADAPTER_REFRESH_INTERVAL` (integer): Interval to require re-logging in on adapter domain (in second, default 3 days).\n\n### Working with multiple OmniAuth providers\n\nWhen multiple providers are passed to `:providers`, nginx_omniauth_adapter defaults to the first one in list.\nOther providers in list will only be activated for requests with `x-ngx-omniauth-provider` header (key is configurable via `:provider_http_header`).\n\n### Included config.ru (or Docker)\n\nYou can set configuration via environment variables.\n\nThe following variables are only available on included config.ru:\n\n- `$NGX_OMNIAUTH_SESSION_COOKIE_NAME`: session cookie name (default `ngx_omniauth`)\n- `$NGX_OMNIAUTH_SESSION_COOKIE_TIMEOUT`: session cookie expiry (default 3 days)\n- `$NGX_OMNIAUTH_DEV=1` or `$RACK_ENV=development`\n  - enable dev mode (omniauth developer provider)\n- github provider\n  - `$NGX_OMNIAUTH_GITHUB_KEY`, `$NGX_OMNIAUTH_GITHUB_SECRET`: application key + secret.\n  - `$NGX_OMNIAUTH_GITHUB_HOST`: (optional) Set if you'd like to use GitHub Enterprise instance (e.g. `https://YOUR-GITHUB-ENTERPRISE`)\n  - `$NGX_OMNIAUTH_GITHUB_TEAMS`: (optional) Restrict to specified teams (e.g. `awesomeorganization/owners`)\n- google_oauth2 provider\n  - `$NGX_OMNIAUTH_GOOGLE_KEY`, `$NGX_OMNIAUTH_GOOGLE_SECRET`: oauth2 key + secret.\n  - `$NGX_OMNIAUTH_GOOGLE_HD`: (optional) Restrict to specified hosted domain (Google Apps Domain).\n\n\n\n### Manually (Rack)\n\nIf you're going to write `config.ru` from scratch, make sure:\n\n- OmniAuth is included in middleware stack\n- Rack session is enabled in middleware stack\n\nThen run:\n\n``` ruby\nrun NginxOmniauthAdapter.app(\n  providers: %i(developer),\n  secret: secret_base64, # optional\n  # ... (set more configuration, see above variable list)\n)\n```\n\n## How it works\n\n![](http://img.sorah.jp/2015-10-08_22.55_2s4hy.png)\n\n1. _browser_ access to restricted area (where `auth_request` has enabled)\n2. _nginx_ sends subrequest to `/_auth/challenge`. It will be proxied to _adapter app_ (`GET /test`)\n3. _adapter app_ `/test` returns 401 when _request (browser)_ doesn't have valid cookie\n4. _nginx_ handles 401 with `error_page`, so do internal redirection (`/_auth/initiate`)\n5. _nginx_ handles `/_auth/initiate`. It will be proxied to _adapter app_ `GET /initiate`.\n  - Also _nginx_ passes some information for callback to _adapter app._\n  - `x-ngx-omniauth-initiate-back-to` URL to back after logged in\n  - `x-ngx-omniauth-initiate-callback` URL that proxies to _adapter app_ `/callback`. This must be same domain to _backend app_ for cookie.\n6. _adapter app_ `GET /initiate` redirects to `/auth/:provider`.\n7. _Browser_ do some authenticate in _adapter app_ with Omniauth.\n8. _adapter app's_ omniauth callback sets valid session, then redirects to `/_auth/callback`, where specified at `x-ngx-omniauth-initiate-callback`.\n  - _Adapter app_ gives GET parameter named `session` on redirect. It contains encrypted session.\n9. _nginx_ handles `/_auth/callback`. It will be proxied to _adapter app_ `/callback`.\n  - This decrypts given encrypted session string and set to cookie.\n  - Then redirect to `x-ngx-omniauth-initiate-back-to`.\n10. _browser_ backs to URL where attempted to access first, at step 1.\n11. _nginx_ sends auth subrequest to _backend app_ `/test`.\n12. _backend app_ `/test` returns 200, because request has valid session cookie.\n13. _nginx_ returns response as usual.\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.\n\nTo install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/sorah/nginx_omniauth_adapter.\n\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fnginx_omniauth_adapter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsorah%2Fnginx_omniauth_adapter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsorah%2Fnginx_omniauth_adapter/lists"}