Writing a new auth module - request for comments
senko.rasic at gmail.com
Thu Jun 18 07:42:07 UTC 2015
thanks for your reply Valentin. I have checked auth_request module, in fact
the module I'm writing started as modifications to auth_request module.
To clarify, I'm not trying to do one-off setup for my server using the
Stormpath API. The idea is to provide a module so any Stormpath's user can
easily integrate the two.
Specifically, the reasons why auth_request wasn't enough:
* It requires another location on the local server to be provided (that
location can be proxied using http_proxy_module, but still has to be
added) to which it'll make the requests. I wanted to avoid forcing the
users to need to add another location block and proxy_pass directives to
the external API (felt like a hack).
* It requires specific semantics regarding the response (200, 401, 403
are interpreted as usual, everything else is server error). Stormpath's
API has different semantics so it wouldn't work anyways.
* You can't do more than one auth request per client request. In some
cases, I need two - first to authenticate the client, then to check if
the user is in a specific group (and to be able to do this, I need to
parse the response body).
So it looks like auth_request module would be ideal if the users provide
a small authorization web service that does whichever auth logic is needed,
and then responds according to auth_request semantics. If I just wanted to
implement the integration for my (one) specific use-case, I'd likely do that.
But the motivation for the module is to avoid forcing users to do these
one-off auth services, and instead just compile in and use a module that
On Wed, Jun 17, 2015 at 5:29 PM, Valentin V. Bartenev <vbart at nginx.com> wrote:
> On Wednesday 17 June 2015 11:25:33 Senko Rasic wrote:
>> I'm writing a new module (out-of-tree) for supporting authentication
>> using Stormpath's user management API (https://stormpath.com/).
>> Basically, the module makes one or more HTTP requests to the
>> Stormpath API to determine if the client request should be authorized
>> to access a location or not.
> Have you checked the auth_request module?
> See: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
> wbr, Valentin V. Bartenev
> nginx mailing list
> nginx at nginx.org
Senko Rasic <senko at senko dot net>
More information about the nginx