https://github.com/fabriziofiorucci/nginx-api-gw
An enhanced NGINX Plus-based API Gateway deployment with dynamic OIDC idP selection
https://github.com/fabriziofiorucci/nginx-api-gw
authn authz gateway-api nginx oidc rest-api
Last synced: 5 months ago
JSON representation
An enhanced NGINX Plus-based API Gateway deployment with dynamic OIDC idP selection
- Host: GitHub
- URL: https://github.com/fabriziofiorucci/nginx-api-gw
- Owner: fabriziofiorucci
- License: gpl-3.0
- Created: 2021-03-24T13:28:33.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2023-05-05T10:03:15.000Z (over 2 years ago)
- Last Synced: 2025-04-20T12:41:15.641Z (6 months ago)
- Topics: authn, authz, gateway-api, nginx, oidc, rest-api
- Language: Python
- Homepage:
- Size: 97.7 KB
- Stars: 6
- Watchers: 3
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# NGINX Plus API Gateway
## Description
This code is based on https://docs.nginx.com/nginx/deployment-guides/single-sign-on/
The original deployment guide focuses on FQDN-based OIDC IdP selection, this repository provides a number of changes and enhancements to support dynamic multiple IdPs based on the URI (map-based setup) and FQDN + URI (keyval-based setup), authorization and URI rewriting.
This supports deployments where all published REST APIs share a common FQDN (ie. http(s)://api.ff.lan/) and must be handled based on the first URI token, that is:
```
http://api.ff.lan/testapi-1/tasks -> this gets authenticated by IdP #1
http://api.ff.lan/testapi-2/tasks -> this gets authenticated by IdP #2
```
## Prerequisites
- a Kubernetes or Openshift cluster
- a private registry to push the NGINX Plus image and the test api images
- at least one OIDC IdP (like Keycloak, Okta, MS ADFS, etc)
- the NGINX Plus image must be built with support for javascript (nginx-plus-module-njs) and lua (nginx-plus-module-lua)
## Building the NGINX Plus image
```
cd nginx-dockerfile
```
copy your nginx-repo.crt and nginx-repo.key to the local dir
```
docker build --no-cache -t YOUR_PRIVATE_REGISTRY/nginxplus-js-lua:TAG .
docker push YOUR_PRIVATE_REGISTRY/nginxplus-js-lua:TAG
```
## Current and upcoming features
- [X] per-URI OIDC IdP selection (endpoints, client id, client key, ...) based on NGINX "maps"
- [X] per-FQDN/URI OIDC IdP selection (endpoints, client id, client key, ...) based on NGINX "keyval_zone"
- [X] per-FQDN/URI / per-REST API function HTTP method filtering
- [X] per-FQDN/URI REST API function quota
- [X] URI rewriting support
## Deployment types
- [Based on NGINX maps](manifests-map)
- [Based on NGINX keyval zones and REST APIs](manifests-keyval)