stackoom
  简体   繁体   中英

Auth Proxy for all ingress requests

 原文  2022-06-06 10:19:33       authentication/ oauth-2.0/ proxy/ multi-tenant

Question

We would like to provide a multi tenant application that identifies the tenant based on a subdomain. As authentication server we use Keycloak, in which each tenant has its own realm.

Now we want to authenticate all requests to our application using a auth proxy. If the request is already authenticated (it has a cookie), the request should be forwarded to the backends. If the request is not yet authenticated (it does not have a cookie), the request should be forwarded to Keycloak and to the correct realm based on the subdomain and an oAuth flow should be initiated. After successful login, a cookie should be set so that all subsequent requests are authenticated. This is exactly the functionality offered by oauth2-proxy . However, we have the further requirement that we have different realms that map the individual tenants. This is not possible with oauth2-proxy at the moment.

Is there another solution besides oauth2-proxy that offers this functionality (possibly Nginx or a plugin for it)?

Thanks

1 answers

solution1
 0  2022-06-07 19:13:36

OIDC PLUGIN

You could use lua-resty-openidc with any Lua based Nginx system, eg Kong or OpenResty. This is an established plugin that does the same job as oauth2-proxy. You can have multiple instances of it configured, for different paths, representing different tenants:

location /tenant1/ {
    rewrite_by_lua_block {
        var opts = ... 
        local res, err = require("resty.openidc").authenticate(opts)
    }
}        
location /tenant2/ {
    rewrite_by_lua_block {
        var opts = ... 
        local res, err = require("resty.openidc").authenticate(opts)
    }
}

There are also various ways to look at input criteria, such as an origin header and re-route accordingly, which can be useful sometimes, though there is a learning curve.

DESIGN

I would question your design a little though. Multiple realms effectively means your apps need to deal with multiple authorization servers, which is a complex setup. Eg APIs need to validate multiple types of access token.

If possible, prefer a solution where you use a single authorization server and simply add a tenant ID claim to access tokens, then ensure that APIs deny access to tenant 2 data for users from tenant 1.

This related answer on multiple realms for a single application also discusses some trade offs around how data can be accessed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Laravel auth on all requests (global auth?) Adding basic auth to all requests in Cypress All requests via Proxy in Node-Webkit Why Basic auth credentials presented in all XHR requests after login Cypress: configure hardcoded user for api requests with cypress-ntlm-auth proxy Go http proxy with auth NuxtJS Auth Proxy APACHE AUTH PROXY FOR QUESTDB Authenticating requests Auth0 NGINX proxy to Ingress Controller with Client Certificate Authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM