Tips for enabling OAuth2

https://docs.github.com/en/developers/apps/authorizing-oauth-apps

https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/

https://github.com/nginxinc/NGINX-Demos/tree/master/oauth2-token-introspection-plus

Install NGINX Plus

https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/

Load Modules

https://docs.nginx.com/nginx/admin-guide/dynamic-modules/nginscript/?_ga=2.225495002.1189608847.1599600019-341500098.1588598479

yum install nginx-plus-module-njs

Edit "nginx.conf":

load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;

Install "oauth2.js" in "conf.d" directory. Edit 'nginx.conf' file: frontend.conf js_include conf.d/oauth2.js; map $http_authorization $access_token { "~*^bearer (.*)$" $1; default $http_authorization; } keyval_zone zone=access_tokens:10m timeout=1m; # timeout defines how long to cache keyval $access_token $token_data zone=access_tokens; server { listen 80; # OAuth 2.0 Token Introspection configuration resolver 8.8.8.8; # For DNS lookup of OAuth server subrequest_output_buffer_size 16k; # To fit a complete response from OAuth server error_log /var/log/nginx/error.log debug; # Enable to see introspection details #set $access_token $http_apikey; # Where to find the token. Remove when using Authorization header set $oauth_token_endpoint "https://github.com/login/oauth/authorize"; set $oauth_token_hint "access_token"; # E.g. access_token, refresh_token set $oauth_client_id "5e91413f756a120b475b"; # Will use HTTP Basic authentication unless empty set $oauth_client_secret "eea2b1af2c4975f5cff79aa578b8bf0e16a70bcd"; # If id is empty this will be used as a bearer token location / { auth_request /_oauth2_token_introspection; # Any member of the token introspection response is available as $sent_http_oauth_member #auth_request_set $username $sent_http_oauth_username; #proxy_set_header X-Username $username; proxy_pass http://my_backend; } location = /_oauth2_token_introspection { # This location implements an auth_request server that uses the JavaScript # module to perform the token introspection request. internal; js_content introspectAccessToken; } location = /_oauth2_send_introspection_request { # This location is called by introspectAccessToken(). We use the proxy_ # directives to construct an OAuth 2.0 token introspection request, as per: # https://tools.ietf.org/html/rfc7662#section-2 internal; gunzip on; # Decompress if necessary proxy_set_header Content-Type "application/x-www-form-urlencoded"; proxy_method POST; proxy_set_header Authorization $arg_authorization; proxy_set_body "token=$arg_token&token_hint=$oauth_token_hint"; proxy_pass $oauth_token_endpoint; } }