Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth token validation from HAProxy or Apache mod_proxy

Tags:

oauth

oauth-2.0

mod-proxy

haproxy

I have a microservice deployed on 3 nodes sitting behind a HAProxy load balancer all inside internal network. The services are protected using OAuth2 APIS authorization server. Now, I want to move the HAProxy to DMZ. And I want to reject requests that do not have auth token in the header and also validate the auth token by calling OAuth REST API.

In HAProxy I couldn't find a way to do this. There is an option httpchk which can be used for healthcheck. I'm looking for a similar feature that can be used to validate each incoming request.

Can anyone please help suggest me on how to implement this using HAProxy or Apache mod_proxy?

like image 879
Ambal Avatar asked Oct 27 '15 18:10

Ambal

2 Answers

There's the Apache module mod_auth_openidc that would allow you to validate OAuth 2.0 tokens against an Authorization Server, see: https://github.com/zmartzone/mod_auth_openidc. That module can be combined with mod_proxy to achieve what you are looking for.

like image 115
Hans Z. Avatar answered Oct 03 '22 07:10

Hans Z.

In HAProxy I couldn't find a way to do this.

For the record, as of 2021 you can. Here's a HAProxy official blog post about using OAuth https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/.

TL;DR: install this haproxy-lua-oauth script, then you can come up with conf like this snippet

frontend api_gateway
   # Always use HTTPS to protect the secrecy of the token
   bind :443 ssl crt /usr/local/etc/haproxy/pem/test.com.pem

   # Accept GET requests and skip further checks
   http-request allow if { method GET }
   
   # Deny the request if it's missing an Authorization header
   http-request deny unless { req.hdr(authorization) -m found }
   
   # Verify the token by invoking the jwtverify Lua script 
   http-request lua.jwtverify
   
   # Deny the request unless 'authorized' is true
   http-request deny unless { var(txn.authorized) -m bool }
   
   # (Optional) Deny the request if it's a POST/DELETE to a 
   # path beginning with /api/hamsters, but the token doesn't 
   # include the "write:hamsters" scope
   http-request deny if { path_beg /api/hamsters } { method POST DELETE } ! { var(txn.oauth_scopes) -m sub write:hamsters }
   
   # If no problems, send to the apiservers backend
   default_backend apiservers
like image 20
Rémy Avatar answered Oct 03 '22 07:10

Rémy
Sign in to Comment

Related questions

OAuth alternative?
Authentication to FreshBooks via DotNetOpenAuth
Where can I find my Yahoo Developer API key(s)? [closed]
Rspec testing for oauth provider
How to tweet from Django?
Sign in with Twitter, and stay signed in (PHP)
Is oauth (for twitter/or in general) safe over http
where can I download net.oauth httpclient4 jar file
Using OAuth Python service with Google App Engine
Single oauth token and secret to access multiple services from google
Why should I hide "consumer secret"?
Migrating from YouTube ClientLogin to OAuth 2.0
force-skip the Stripe connect account application form
Remove csrf protecteion on API post calls
is oAuth possible for C# Windows Application?
How to access Twitter REST API v1.1 using curl?
How to sign JWT?
CORS error in Spring Oauth2
Electron & ReactJS, Use BrowserWindow for GitHub oAuth authentication
Understanding client_id and client_secret

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!