Auth_request and multiple cookies from the authentication server

[Hannu Shemeikka]

Hi,

I'm using using auth_request to authenticate requests to my locations. I
have a working configuration but I noticed that the client is not
receiving all cookies set by the authentication server.

I'm using following syntax for setting the cookie:
auth_request_set            $auth_cookie $upstream_http_set_cookie;

It seems that the variable $upstream_http_set_cookie only contains the
first cookie and not all cookies set by the upstream server.

Is this variable's behavior feature or is it a bug? Is there a
workaround for this?

I have tried using different solutions like using using the variable
$upstream_cookie_<name> for setting each cookie but this variable seems
to contain only the raw cookie value and doesn't include the flags, e.g.
expires, httponly. I thought about using lua but I'm thinking of giving
up with the lua route since it seems it would not be a good solution all
things considered.


Relevant part of the nginx configuration:

##################

location / {
    auth_request                /auth;
    auth_request_set          $auth_cookie $upstream_http_set_cookie;
    add_header                  Set-Cookie $auth_cookie;
    try_files                         $uri @frontend;
}

location /auth {
    internal;
    proxy_set_header          X-Original-Method $request_method;
    proxy_set_header          X-Real-IP $remote_addr;
    proxy_set_header          X-Original-URI $request_uri;
    proxy_set_header          Host $host;
    proxy_pass                     http://$server/api/authz;
}

##################


- Hannu