Allow /validate authorization per host based on claims in jwt #98
Comments
|
Could this functionality be handled inside of the nginx config instead of being put in Vouch Proxy? If the correct header were returned could it be interpreted by nginx? How would the end user be informed that they are Unauthorized for a particular domain? What should happen then? |
|
I actually tried for several days to find a good way to handle this inside NGINX before I went back to adding this to vouch. The answer is, without recompiling nginx with some special plugins, or using OpenResty nginx (which I wasn't so hot on adding that requirement), nginx cannot handle this. I can authorize on the keycloak server for instance, but that is only per client. If I were to do that, I would either need to do 1 vouch per app, or modify vouch to handle a different oidc config per app I'm proxying. is authorization on the oidc side based on some other factor available for other providers outside of adfs/keycloak? I'm not sure... /Validate currently returns the error for failed auth anyways to the user, so I handled returning the error the same way. |
|
Based on IRC conversation, we will try to offload this function. |
|
I'm closing this. I have documented a way to offload the authorization function and keep vouch purely IdP. |
|
@artagel where did that get documented? |
|
@davidgibbons it's in #107 pending merge |
With #95 implemented, we can allow users to be authenticated based on each post being proxied. This would add a significant capability to vouch to allow per-application authorization, which is especially important when the proxies applications don't have the ability to do this on their own. Additionally, this is in line with the beyondcorp model.
The text was updated successfully, but these errors were encountered: