Writing a new auth module - request for comments

Senko Rasic senko.rasic at gmail.com
Thu Jun 18 07:42:07 UTC 2015


Hi,

thanks for your reply Valentin. I have checked auth_request module, in fact
the module I'm writing started as modifications to auth_request module.

To clarify, I'm not trying to do one-off setup for my server using the
Stormpath API. The idea is to provide a module so any Stormpath's user can
easily integrate the two.

Specifically, the reasons why auth_request wasn't enough:

* It requires another location on the local server to be provided (that
  location can be proxied using http_proxy_module, but still has to be
  added) to which it'll make the requests. I wanted to avoid forcing the
  users to need to add another location block and proxy_pass directives to
  the external API (felt like a hack).

* It requires specific semantics regarding the response (200, 401, 403
  are interpreted as usual, everything else is server error). Stormpath's
  API has different semantics so it wouldn't work anyways.

* You can't do more than one auth request per client request. In some
  cases, I need two - first to authenticate the client, then to check if
  the user is in a specific group (and to be able to do this, I need to
  parse the response body).

So it looks like auth_request module would be ideal if the users provide
a small authorization web service that does whichever auth logic is needed,
and then responds according to auth_request semantics. If I just wanted to
implement the integration for my (one) specific use-case, I'd likely do that.

But the motivation for the module is to avoid forcing users to do these
one-off auth services, and instead just compile in and use a module that
provides this.

Best,
Senko

On Wed, Jun 17, 2015 at 5:29 PM, Valentin V. Bartenev <vbart at nginx.com> wrote:
> On Wednesday 17 June 2015 11:25:33 Senko Rasic wrote:
>> Hi,
>>
>> I'm writing a new module (out-of-tree) for supporting authentication
>> using Stormpath's user management API (https://stormpath.com/).
>>
>> Basically, the module makes one or more HTTP requests to the
>> Stormpath API to determine if the client request should be authorized
>> to access a location or not.
>>
> [..]
>
> Have you checked the auth_request module?
>
> See: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
>
>   wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



-- 
Senko Rasic <senko at senko dot net>



More information about the nginx mailing list