Caching Token from auth_request

Question

I want to cache the token from my request header field Authorization.

Authorization : Bearer abcdefghijklmnopqrstuvwxyz

My goal is, that I don't have to validate every request on the validation-server. If the Authorization-Token is cached (and valid), than the request should call the API without validation.

location /main {
            auth_request /auth;
            proxy_ignore_headers Cache-Control;
            proxy_pass http://API;
            proxy_http_version 1.1;

        }


location /auth {
            internal;
            proxy_cache my_cache;
            proxy_ignore_headers Cache-Control;
            proxy_cache_key "$http_authorization";
            proxy_pass https://validationserver;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";

        }

This is my setup, but this does not work.

I hope you can help me.

Greetings!

Answer 1

What sort of authentication are you trying to accomplish? Is it a site-wide authentication mechanism, where every authenticated user has the same permissions to the content? Or is it more subtle, where a given user may or may not have access to certain resources?

Because if it is the latter, then you're effectively opening up your application to a security vulnerability — any authenticated user would be able to use their authentication token to perform actions they may or may not be entitled to, as, presumably, any username or IDs passed as parameters in the query would be fully trusted provided that the Token was first cached when the proper username/ID were presented in the original authorisation request that was validated and cached.

---

Alternatively, note that caching was not supported prior to nginx 1.7.3, as per http://nginx.org/r/auth_request.

---

Also, note that, by default, presence of cookies in the request or response would, likewise, preclude the content from being cached with http://nginx.org/r/proxy_cache. As per http://serverfault.com/questions/462799/leverage-proxy-caching-with-nginx-by-removing-set-cookie-header/467774#467774, the following may thus be required to get the caching to work:

    proxy_hide_header       Set-Cookie;
    proxy_ignore_headers    Set-Cookie;
    # important! Remember the special inheritance rules for proxy_set_header:
    # http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
    proxy_set_header        Cookie "";