Dear Friends,
Today i released my work for almost over six months on SSO - Single Sign on Module. This is LUA based module which works with nginx. I have used my own nginx build but this should works with openresty without any issue.
I want to thank agentzh for support he provided in resolving my queries no matter how silly then were. Thanks agentzh.
The module used access_by_lua_file directive to do its magic. The access_by_lua_file is lua script which fires some internal request to verify the cookie information stored in database and then allow the request.
I have used drizzle and rd_json to do the query. I adopted a slightly different approach by making some internal endpoints which were kind of database layer where i fire query and get response. I have used simple string.find function to parse json. Though i was tempted to use a library but i wanted to make it in pure lua. Finally with some intelligent use of brackets has gave me a way to parse the json in efficient way. In all cases i m aware what json i m going to get so combining the knowledge of regex and lua i was able to parse the json without any libraries.
The module check for cookie on every request and it also check for apps which are authorised to a user. If no valid app found it just dumps back at login.
Using this module we are even able to protect the html website and other document pages in out intranet by adding this module on each endpoint.
We are currently working and testing the integration of this module with php. Using PHPSESSID as the cookie and use the session information from php and lua together. The idea is to convert high load endpoint into LUA and keep the one with lot of business logic into php. This give us immense flexibility as we can continue using the old php code and every thing in php but convert the high load endpoints in php. The only prerequisite in this case is to use a database storage for session information which we find in high load cases does not matter much especially if you deploy on CDN.
The final phase which i have to start is using SAML for granting Access. I would love to get some help on this. If we integrate SAML in this module then this will be at par with any commercial SSO solution.
Needless to say this module can be easily customised to become Web Application Firewall. You can define a list of banned host in database and let the session endpoint check that as well. All you need to do is to modify the query in mysql and pass the real ip to the backend.
Do let me know the feedbacks, suggestions and improvements. If any one needs help in installing and testing then let me know, I m around.
The whole code is available here
Thanks Every one and Especially agentzh