How to post a subrequest with a json body to another server from NGINX http request object

Question

Interface with Auth0 requiring a post request with a json body to retrieve the token and set it in the Header Authorization Bearer. I have trouble to set the json body in the subrequest in the nginx js mdoule for the token. Please advice

```
function introspectAccessToken(r) {
    // Prepare Authorization header for the introspection request
    var jsbody = {"grant_type" : "authorization_code",
              "client_id" : r.variables.oauth_client_id,
              "client_secret" : r.variables.oauth_client_secret,
              "code" : r.args_code,
              "redirect_uri":"http://office.etag-hk.com/login"};
    var jsString = JSON.stringify(jsbody);
    r.RequestBuffer = jsString;
    // Make the OAuth 2.0 Token Introspection request
    r.error("OAuth jsbody: " + jsString);
    r.subrequest("/_oauth2_send_introspection_request",
        function(reply) {
           if (reply.status != 200) {
               r.error("OAuth unexpected response from authorization server (HTTP " + reply.status + 
            "). " + reply.body);
                r.return(401);
            }

Thanks

Answer 1

I am doing something very similar and just got it 'mostly' working the way I would like just yesterday.

Disclosure: I am a NUBE to NGINX. I am posting what I did hopefully to help you, and to get any feedback on how I can make improvements.

My Use Case: I have many clients requesting data from a backend server. I need to cache the responses to reduce load on the backend, as well as authenticate to the backend server for the client. The NGINX server will manage the ID/PWD and Token, the clients will just make requests. On the very first request, or when the token expires, NGINX needs to get a fresh token. The authentication is completed with a POST request, passing the ID and Password in a JSON body.

I would like the client never to see 401. I am using the NGINX JavaScript module as you are.

I turned off caching for now to make sure I have the authentication working.

Javascript:

function introspectAccessToken(r)
{
    r.log("introspectAccessToken - make a subrequest to _oauth2_send_request");

    // Request Internal location "SEND REQUEST"
    r.subrequest("/_oauth2_send_request",
    { method: 'POST',
      body: JSON.stringify({ userName: "SERVICEID", password: "correcthorsebatterystaple" })
    },
    function(reply)
    {
       …

My body is static and for the moment, I have the ID and password in clear text in the code which is not ideal. I like how you built your body up in a variable. I think you need to put the jsString in your subrequest call rather than setting r.RequestBuffer.

In my.Conf file:

location /_oauth2_send_request {
    internal;
    proxy_method      POST;
    proxy_set_header accept "application/json";
    proxy_set_header Content-Type "application/json";
    proxy_pass https://backend.company.com/login;
}

The token is returned in the body. I parse the body and get the token data. Initially I attempted to get the token with:

js_set    $token   myJavaScript.getToken;

in the config, but r.subrequest is an asynchronous call and that is not allowed in a variable handler.
So, I 'punted' and wrote the token data to a file. This may be a BIG ERROR on my part, but it helped me to getting it to work.

Here is more of my javascript:

function(reply)
{
    if (reply.status == 200)
    {
        r.log("introspectAccessToken: POST status:" + reply.status);
        var response = JSON.parse(reply.responseBody);
        var token = response["data"];
        // Write the Token to a file -- to be read later.
        writeToken(token);
        return(200);
    else
    {
        r.log("introspectAccessToken: failed POST status:" + reply.status);
        r.return(401);
    }
});

Now that the token is in a file, I can use the variable handler to read the file ( synchronously ) and return the token data. Conf file.

js_set $myToken myJavaScript.readToken;

Where I struggled for some time was getting the initial 401 authorized redirected back to NGINX and not to the client. The directive error_page 401, in many different formats, simply did not seem to work and I even read in blogs and posts that it wouldn't work, but in others examples claiming it did work. What I think was key was the line: proxy_intercept_errors on;

After adding that, the initial 401 unauthorized error was redirected: error_page 401 = @Unauthorized;

What I have now is as follows: 1: Client makes initial GET request to get some data. The readToken function returns an empty string because token file does not exist. The response from the backend is "401 Unauthorized". 2: The 401 is redirected, and the javascript makes a subrequest to the login with the ID/PWD. 3: The response is parsed and the token is written to the file. 4: ??? The client gets a 404 Not Found code. This is what I want to improve. I would like another attempt made to the backend with the new token. 5: Failing on the first attempt, the client performs a retry. Now with a saved token on the NGINX server, the request is successful.

My full conf file:

# Location of JavaScript code
js_import ./javascript/myJavaScript.js;

js_set $myToken myJavaScript.readToken;

server
{
    listen 80;

    access_log /var/log/nginx/access.log main1;

    # This is run for every request.
    location / {
        # Make an Internal Redirect if Not Authorized.
        proxy_intercept_errors on;
        error_page 401 = @Unauthorized;

        proxy_set_header accept "application/json";
        proxy_set_header Content-Type "application/json";
        proxy_set_header Authorization $myToken;
        proxy_pass https://backend.company.com;

    }

    location  @Unauthorized {
        internal;
        auth_request /_oauth2_token_introspection;
    }

    location = /_oauth2_token_introspection {
        internal;
        # Calls the javascript function
        js_content myJavaScript.introspectAccessToken;
    }

    # Location in javascript subrequest.
    location /_oauth2_send_request {
        internal;
        proxy_method      POST;
        proxy_set_header accept "application/json";
        proxy_set_header Content-Type "application/json";
        proxy_pass https://imos-plant-config-api-test.op-epg1mi.gm.com/tonic/login;
    }
}

My full javascript:

var fs = require('fs');
var MyTokeFile = "/etc/nginx/protectedFolder/mytoken.dat";

function writeToken(t)
{
    var file = fs.writeFileSync(MyTokeFile, t)
}

function readToken(r)
{
    try {
        fs.accessSync(MyTokeFile, fs.constants.R_OK);
        r.log('readToken: Has READ access : ' + MyTokeFile);
    } catch (e) {
        r.log('readToken: No READ access : ' + MyTokeFile);
        return ("");  // Return empty string if file cannot be read.
    }

    r.log("readToken:" + MyTokeFile )
    var file = fs.readFileSync(MyTokeFile);
    var token = file.toString();
    return (token);
}

function introspectAccessToken(r)
{
    r.log("introspectAccessToken - make a subrequest to _oauth2_send_request");
    // Request Internal location "SEND REQUEST"
    r.subrequest("/_oauth2_send_request",
    { method: 'POST',
      body: JSON.stringify({ userName: "SERVICEID", password: "correcthorsebatterystaple" })
    },
    function(reply)
    {
        if (reply.status == 200)
        {
            r.log("introspectAccessToken: POST status:" + reply.status);
            var response = JSON.parse(reply.responseBody);
            var token = response["data"];
            // Write the Token to a file -- to be read later.
            writeToken(token);
            r.return(200);
        }
        else
        {
            r.log("introspectAccessToken: failed POST status:" + reply.status);
            r.return(401);     // Unexpected response, return 'auth required'
        }
    });
}