I would like to protect a website by adding oauth user authentication with NC as the provider, using nginx and the auth_request_module. I guess unauthorized clients should be redirected to NC for entering user name and password, and then redirected to the original site. How would I go about this? I experimented with several settings found online for other oauth providers, but I don’t seem to be able to figure it out.
Usually you need an endpoint that will serve this authentication, not sure how auth_request_module works… Any way you can check this docu how to configure NC part for it:
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
It expects a 2xx response for authorized, and 401 or 403 for unauthorized. Every other status code is considered an error, and is thrown away with an 500 status to the client.
I experimented further, I think I now know how it should be working. The issue is that NC returns a 303 with the location of the login page for the configured client, when the request is not authorized. Which makes sense, but this nginx module considers this an error. Of course, NC’s oauth2 client settings page gives zero flexibility with those status codes, and the docs mention nothing either. On the nginx side, it doesn’t seem to be possible to override the 303 status code by configuration, it’s apparently ignored. So, I’m stuck at this.
No one ever tried to make this work?
POST request with 303 is standard behavior here to redirect user to call back URL.
Usually this should not be the same endpoint as login page, but call back URL that will serve this answer.
Seems this module is not really doing what you expect, it is simple answer detection, but you need to implement OAuth2.0 (e.g. here as an explanation). with Token validation and refresh. Looks like it should be done with Module ngx_http_auth_jwt_module, but not sure here…
UPDATE: There is cool blog about this issue:
Thanks, I haven’t stumbled across this specific post yet, seems quite comprehensive.
FWIW though, if I understand correctly, the core functionality off all the JS magic happening there is boiling down the token introspection response to a 204, 401 or 403 response code. Which, for my purposes, would work just well if the endpoint itself differentiated the separate cases by status codes (which it does, just using 303 when unauthorized), and I could convert those to the above. All the rest, like redirecting to a login page and such are just nice-to-have additions.
And if error_page would actually catch a 303 response, I would be ready to go. But apparently, for some reason, it doesn’t - despite the documentation saying nothing about those being special in this respect. I did even dig into the nginx source code a bit, but couldn’t find where they are handled differently from a 4xx or 5xx status.
So, ultimately, sure I could use JS in nginx, but I’m hoping for some simpler solution to a relatively simple issue.
Not to mention that apparently, the nginx JS module is not available on the ARM architecture my box runs on…