Custom auth

haizaar · 2018-07-19T20:17:21+00:00

It's a Consul config option, why would it be in the Openresty container?You need to configure it on your Consul agent.On Thursday, 19 July 2018 11:06:25...

Custom auth

haizaar

Good day guys,

I would like to implement custom auth proxy. I'm new to Lua and openresty but have some experience with nginx.

The auth flow I need to implement is as follows:

For each incoming request:

Fetch auth token from a cookie (not header)
Call our internal HTTP REST service (no auth) to convert token to user id, and then another call to fetch capabilities for the user (JSON response)
Lookup for a presence of a certain capability - if exists, forward request to upstream, otherwise - fancy 404 message

Additional requirements:

Cache token->capabilities to speedup processing of the next requests
Select upstream based on the value of Host header in the request

I've spent some time researching openresty, but I can't find some basic infrastructure/flow documentation that explains the basic principals. Is it missing or am I just using wrong keywords?

Libraries wise, I'm looking at lua-resty-mlcache and it looks like it's all I need auth-wise; and I can do capabilities fetching in it's "callback" layer. What do you think?

Any links / tips / suggestions are highly welcomed.

In return I promise to write a detailed tutorial and publish it back to the community :)

Thanks in advance,

Zaar

peter_booth

I’d recommend that you look at the open source aprereo CAS system which means get just meet me our needs output of the box.

Sent from my iPhone

On Jul 19, 2018, at 8:17 AM, Zaar Hai <hai...@gmail.com> wrote:

Good day guys,

I would like to implement custom auth proxy. I'm new to Lua and openresty but have some experience with nginx.

The auth flow I need to implement is as follows:
For each incoming request:
Fetch auth token from a cookie (not header)
Call our internal HTTP REST service (no auth) to convert token to user id, and then another call to fetch capabilities for the user (JSON response)
Lookup for a presence of a certain capability - if exists, forward request to upstream, otherwise - fancy 404 message
Additional requirements:
Cache token->capabilities to speedup processing of the next requests
Select upstream based on the value of Host header in the request
I've spent some time researching openresty, but I can't find some basic infrastructure/flow documentation that explains the basic principals. Is it missing or am I just using wrong keywords?

Libraries wise, I'm looking at lua-resty-mlcache and it looks like it's all I need auth-wise; and I can do capabilities fetching in it's "callback" layer. What do you think?

Any links / tips / suggestions are highly welcomed.

In return I promise to write a detailed tutorial and publish it back to the community :)

Thanks in advance,
Zaar

.

haizaar

Looks like aprereo CAS provides a great auth infrastructure if one wants to use existing protocols it provides.

I need something: a) custom, b) simple :)

Thanks for the hint though - I was not familiar with CAS.

On Friday, 20 July 2018 02:37:03 UTC+10, Peter Booth wrote:

I’d recommend that you look at the open source aprereo CAS system which means get just meet me our needs output of the box.

Sent from my iPhone

On Jul 19, 2018, at 8:17 AM, Zaar Hai <hai...@gmail.com> wrote:

Good day guys,

I would like to implement custom auth proxy. I'm new to Lua and openresty but have some experience with nginx.

The auth flow I need to implement is as follows:
For each incoming request:
Fetch auth token from a cookie (not header)
Call our internal HTTP REST service (no auth) to convert token to user id, and then another call to fetch capabilities for the user (JSON response)
Lookup for a presence of a certain capability - if exists, forward request to upstream, otherwise - fancy 404 message
Additional requirements:
Cache token->capabilities to speedup processing of the next requests
Select upstream based on the value of Host header in the request
I've spent some time researching openresty, but I can't find some basic infrastructure/flow documentation that explains the basic principals. Is it missing or am I just using wrong keywords?

Libraries wise, I'm looking at lua-resty-mlcache and it looks like it's all I need auth-wise; and I can do capabilities fetching in it's "callback" layer. What do you think?

Any links / tips / suggestions are highly welcomed.

In return I promise to write a detailed tutorial and publish it back to the community :)

Thanks in advance,
Zaar

.

piotrprz

Your auth flow can be realized within access_by_lua_block. You can read cookie from nginx variable and use lua-resty-http for contacting your REST service. lua-resty-mlcache is a good choice for easily cache'ing your token->capabilities map.

For selecting upstream - if it's something simple then you can just set it's address, or an upstream block name, in an nginx variable and use it in proxy_pass. Then nginx "map" directive or a short lua snippet should be enough. If it's something more advanced then balance_by_lua_block may be a better choice.

W dniu piątek, 20 lipca 2018 15:14:33 UTC+2 użytkownik Zaar Hai napisał:

Looks like aprereo CAS provides a great auth infrastructure if one wants to use existing protocols it provides.
I need something: a) custom, b) simple :)

Thanks for the hint though - I was not familiar with CAS.

On Friday, 20 July 2018 02:37:03 UTC+10, Peter Booth wrote:
I’d recommend that you look at the open source aprereo CAS system which means get just meet me our needs output of the box.

Sent from my iPhone

On Jul 19, 2018, at 8:17 AM, Zaar Hai <hai...@gmail.com> wrote:

Good day guys,

I would like to implement custom auth proxy. I'm new to Lua and openresty but have some experience with nginx.

The auth flow I need to implement is as follows:
For each incoming request:
Fetch auth token from a cookie (not header)
Call our internal HTTP REST service (no auth) to convert token to user id, and then another call to fetch capabilities for the user (JSON response)
Lookup for a presence of a certain capability - if exists, forward request to upstream, otherwise - fancy 404 message
Additional requirements:
Cache token->capabilities to speedup processing of the next requests
Select upstream based on the value of Host header in the request
I've spent some time researching openresty, but I can't find some basic infrastructure/flow documentation that explains the basic principals. Is it missing or am I just using wrong keywords?

Libraries wise, I'm looking at lua-resty-mlcache and it looks like it's all I need auth-wise; and I can do capabilities fetching in it's "callback" layer. What do you think?

Any links / tips / suggestions are highly welcomed.

In return I promise to write a detailed tutorial and publish it back to the community :)

Thanks in advance,
Zaar

.

haizaar

Great. Thanks for the help! I managed to code prototype in less than 100 lines of code (including caching).

The promised guide is on the way :)

On Saturday, 21 July 2018 08:31:10 UTC+10, Piotr Przybylski wrote:

Your auth flow can be realized within access_by_lua_block. You can read cookie from nginx variable and use lua-resty-http for contacting your REST service. lua-resty-mlcache is a good choice for easily cache'ing your token->capabilities map.

For selecting upstream - if it's something simple then you can just set it's address, or an upstream block name, in an nginx variable and use it in proxy_pass. Then nginx "map" directive or a short lua snippet should be enough. If it's something more advanced then balance_by_lua_block may be a better choice.

W dniu piątek, 20 lipca 2018 15:14:33 UTC+2 użytkownik Zaar Hai napisał:
Looks like aprereo CAS provides a great auth infrastructure if one wants to use existing protocols it provides.
I need something: a) custom, b) simple :)

Thanks for the hint though - I was not familiar with CAS.

On Friday, 20 July 2018 02:37:03 UTC+10, Peter Booth wrote:
I’d recommend that you look at the open source aprereo CAS system which means get just meet me our needs output of the box.

Sent from my iPhone

On Jul 19, 2018, at 8:17 AM, Zaar Hai <hai...@gmail.com> wrote:

Good day guys,

I would like to implement custom auth proxy. I'm new to Lua and openresty but have some experience with nginx.

The auth flow I need to implement is as follows:
For each incoming request:
Fetch auth token from a cookie (not header)
Call our internal HTTP REST service (no auth) to convert token to user id, and then another call to fetch capabilities for the user (JSON response)
Lookup for a presence of a certain capability - if exists, forward request to upstream, otherwise - fancy 404 message
Additional requirements:
Cache token->capabilities to speedup processing of the next requests
Select upstream based on the value of Host header in the request
I've spent some time researching openresty, but I can't find some basic infrastructure/flow documentation that explains the basic principals. Is it missing or am I just using wrong keywords?

Libraries wise, I'm looking at lua-resty-mlcache and it looks like it's all I need auth-wise; and I can do capabilities fetching in it's "callback" layer. What do you think?

Any links / tips / suggestions are highly welcomed.

In return I promise to write a detailed tutorial and publish it back to the community :)

Thanks in advance,
Zaar

.