https://github.com/OpenIDC/ngx_oauth2_module

OAuth 2.x Resource Server module for NGINX
https://github.com/OpenIDC/ngx_oauth2_module

c nginx nginx-module oauth oauth2 oauth2-resource-server

Last synced: 7 days ago
JSON representation

OAuth 2.x Resource Server module for NGINX

• Host: GitHub
• URL: https://github.com/OpenIDC/ngx_oauth2_module
• Owner: OpenIDC
• License: apache-2.0
• Created: 2019-03-22T11:03:00.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2024-08-22T11:34:15.000Z (6 months ago)
• Last Synced: 2024-08-22T13:02:52.382Z (6 months ago)
• Topics: c, nginx, nginx-module, oauth, oauth2, oauth2-resource-server
• Language: M4
• Homepage:
• Size: 48.8 KB
• Stars: 15
• Watchers: 5
• Forks: 12
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: ChangeLog
  • License: LICENSE
  • Authors: AUTHORS

Awesome Lists containing this project

README

        
[![Build Status](https://github.com/OpenIDC/ngx_oauth2_module/actions/workflows/build.yml/badge.svg)](https://github.com/OpenIDC/ngx_oauth2_module/actions/workflows/build.yml)

# ngx_oauth2_module

A module for the NGINX web server that makes NGINX operate as an OAuth 2.0 Resource Server,

validating OAuth 2.0 bearer access tokens and setting headers/environment variables based

on the validation results.

## Configuration 

```

OAuth2TokenVerify [ introspect | jwk_uri | metadata | jwk | plain | base64 | base64url | hex | pem | pubkey | eckey_uri ]  

```

## Samples

```

    #

    # obtain the access token from the authorization header

    #

    map $http_authorization $source_token {

        default "";

        "~*^Bearer\s+(?[\S]+)$" $token;

    }

    map $pfc_introspect_sub $valid_sub {

        "joe"        1;

        "alice"     1;

        "bob"      1;

        "~admin_.+"      1;  #allow

        "~student_.+"    0;  # deny

        default    0; # default to deny

    }

    server {

        listen       7070;

        server_name  nginx;

        #

        # introspection with a sample "require sub=joe" authorization expression

        #

        location /oauth2/pingfed/introspect {

            OAuth2TokenVerify $source_token introspect 

                https://pingfed:9031/as/introspect.oauth2

                introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate;

            OAuth2Claim sub $pfc_introspect_sub;

            OAuth2Claim username $pfc_introspect_username;

            OAuth2Claim active $pfc_introspect_active;

        	OAuth2Require $valid_sub;            

            proxy_set_header OAUTH2_CLAIM_sub $pfc_introspect_sub;

            proxy_set_header OAUTH2_CLAIM_username $pfc_introspect_username;

            proxy_set_header OAUTH2_CLAIM_active $pfc_introspect_active;

            proxy_pass http://echo:8080/headers$is_args$args;

        }

        #

        # local validation from a  provided jwks_uri

        #

        

        location /oauth2/pingfed/jwks_uri {

            OAuth2TokenVerify $source_token jwks_uri

            	https://pingfed:9031/ext/one

            	jwks_uri.ssl_verify=false;

            OAuth2Claim sub $pfc_jwks_uri_sub;

            OAuth2Claim username $pfc_jwks_uri_username;

            OAuth2Claim active $pfc_jwks_uri_active;

            proxy_set_header OAUTH2_CLAIM_sub $pfc_jwks_uri_sub;

            proxy_set_header OAUTH2_CLAIM_username $pfc_jwks_uri_username;

            proxy_set_header OAUTH2_CLAIM_active $pfc_jwks_uri_active;

            proxy_pass http://echo:8080/headers$is_args$args;

        }

        #

        # local validation from a provided jwk

        #

        

        # when using RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens with liboauth2 >= 1.6.1

		ssl_verify_client optional_no_ca;

        location /oauth2/pingfed/jwk {

			OAuth2TokenVerify $source_token jwk 

				"{	\"kty\":\"RSA\",

					\"kid\":\"one\",

					\"use\":\"sig\",

					\"n\":\"12SBWV_4xU8sBEC2IXcakiDe3IrrUcnIHexfyHG11Kw-EsrZvOy6PrrcqfTr1GcecyWFzQvUr61DWESrZWq96vd08_iTIWIny8pU5dlCoC7FsHU_onUQI1m4gQ3jNr00KhH878vrBVdr_T-zuOYQQOBRMEyFG-I4nb91zO1n2gcpQHeabJw3JIC9g65FCpu8DSw8uXQ1hVfGUDZAK6iwncNZ1uqN4HhRGNevFXT7KVG0cNS8S3oF4AhHafFurheVxh714R2EseTVD_FfLn2QTlCss_73YIJjzn047yKmAx5a9zuun6FKiISnMupGnHShwVoaS695rDmFvj7mvDppMQ\",

					\"e\":\"AQAB\"

				}" type=mtls&mtls.policy=optional;

            OAuth2Claim sub $pfc_jwk_sub;

            OAuth2Claim username $pfc_jwk_username;

            OAuth2Claim active $pfc_jwk_active;

            proxy_set_header OAUTH2_CLAIM_sub $pfc_jwk_sub;

            proxy_set_header OAUTH2_CLAIM_username $pfc_jwk_username;

            proxy_set_header OAUTH2_CLAIM_active $pfc_jwk_active;

            proxy_pass http://echo:8080/headers$is_args$args;

        }

    }      

```

## Support

#### Community Support

For generic questions, see the Wiki pages with Frequently Asked Questions at:  

  [https://github.com/OpenIDC/ngx_oauth2_module/wiki](https://github.com/OpenIDC/ngx_oauth2_module/wiki)  

Any questions/issues should go to issues tracker.

#### Commercial Services

For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:  

  [[email protected]](mailto:[email protected])  

Disclaimer

----------

*This software is open sourced by OpenIDC. For commercial support

you can contact [OpenIDC](https://www.openidc.com) as described above in the [Support](#support) section.*