An authentication server using Auth0 as a backend.
The server takes the scopes from the JSON Web Token (JWT) and compares them against a configuration. If one or more scopes are found that match the configuration, the request succeeds (status 200) and the scopes and id are reported back in custom headers. Otherwise, the request fails (status 403).
The authentication server is meant to be used for authentication sub-queries (e.g. from nginx).
It expects a configuration file as follows:
{
"audience": "<string>",
"issuer": "<string>",
"headerNames": {
"method": "<string> || 'x-original-method'",
"uri": "<string> || 'x-original-uri'",
"groups": "<string> || 'x-groups'",
"id": "<string> || 'x-id'"
},
"auth": {
"<path1>": {
"<verb1 e.g. GET>": ["role/scope 1", "role/scope 2"],
"<verb2 e.g. POST>": ["role/scope 3"]
}
}
}The "issuer" string should end with a slash ("/"). Before requesting the JWKS, the string ".well-known/jwks.json" will be appended to the "issuer" string.
The program expects two environment variables:
| Environment variable | Description | Default value |
|---|---|---|
| AUTH0_CONFIG | Path of the configuration file | config.json |
| AUTH0_BIND_ADDRESS | IP address and port for the server | 127.0.0.1:8888 |
| RUST_LOG | Log level 'debug' |
In development, server can be started using the following command:
cargo runIn production, the server can be run by executing the program (optionally the environment variables can be set to change the default values).
All configured paths are compared with the starting portion of the requested path. The longest matching path is selected and the roles associated with the requested verb are used to compare against the scopes from the token.
Configuration:
{
"audience": "https://my.audience.com",
"issuer": "https://my.issuer.com/",
"headerNames": {
"method": "x-original-method",
"uri": "x-original-uri",
"groups": "x-groups",
"id": "x-id"
},
"auth": {
"/": {
"GET": ["read:user"],
},
"/api/": {
"GET": ["read:admin"],
"POST": ["write:admin"]
}
}
}Request 1
- Request: GET /image/xyz (is matched to "/")
- Response: 200 (if token contains "read:user"), 403 (otherwise)
Request 2
- Request: POST /api/objects (is matched to "/api")
- Response: 200 (if token contains "write:admin"), 403 (otherwise)
Example nginx configuration:
server {
...
location /auth {
internal;
proxy_pass http://server_auth:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-METHOD $request_method;
}
location /api {
auth_request /auth;
auth_request_set $auth_user $upstream_http_x_id;
auth_request_set $auth_groups $upstream_http_x_groups;
proxy_set_header X-Auth-UserName $auth_user;
proxy_set_header X-Auth-Roles $auth_groups;
...
}
}