OAuth2
Tips for enabling OAuth2
https://docs.github.com/en/developers/apps/authorizing-oauth-apps
https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/
https://github.com/nginxinc/NGINX-Demos/tree/master/oauth2-token-introspection-plus
Install NGINX Plus
https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/
Load Modules
yum install nginx-plus-module-njs
Edit "nginx.conf":
load_module modules/ngx_http_js_module.so; load_module modules/ngx_stream_js_module.so;
Install "oauth2.js" in "conf.d" directory.
Edit 'nginx.conf' file:
frontend.conf
js_include conf.d/oauth2.js;
map $http_authorization $access_token {
"~*^bearer (.*)$" $1;
default $http_authorization;
}
keyval_zone zone=access_tokens:10m timeout=1m; # timeout defines how long to cache
keyval $access_token $token_data zone=access_tokens;
server {
listen 80;
# OAuth 2.0 Token Introspection configuration
resolver 8.8.8.8; # For DNS lookup of OAuth server
subrequest_output_buffer_size 16k; # To fit a complete response from OAuth server
error_log /var/log/nginx/error.log debug; # Enable to see introspection details
#set $access_token $http_apikey; # Where to find the token. Remove when using Authorization header
set $oauth_token_endpoint "https://github.com/login/oauth/authorize";
set $oauth_token_hint "access_token"; # E.g. access_token, refresh_token
set $oauth_client_id "5e91413f756a120b475b"; # Will use HTTP Basic authentication unless empty
set $oauth_client_secret "eea2b1af2c4975f5cff79aa578b8bf0e16a70bcd"; # If id is empty this will be used as a bearer token
location / {
auth_request /_oauth2_token_introspection;
# Any member of the token introspection response is available as $sent_http_oauth_member
#auth_request_set $username $sent_http_oauth_username;
#proxy_set_header X-Username $username;
proxy_pass http://my_backend;
}
location = /_oauth2_token_introspection {
# This location implements an auth_request server that uses the JavaScript
# module to perform the token introspection request.
internal;
js_content introspectAccessToken;
}
location = /_oauth2_send_introspection_request {
# This location is called by introspectAccessToken(). We use the proxy_
# directives to construct an OAuth 2.0 token introspection request, as per:
# https://tools.ietf.org/html/rfc7662#section-2
internal;
gunzip on; # Decompress if necessary
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_method POST;
proxy_set_header Authorization $arg_authorization;
proxy_set_body "token=$arg_token&token_hint=$oauth_token_hint";
proxy_pass $oauth_token_endpoint;
}
}