Return 401 instead of redirecting to authorize endpoint

Question

Return 401 instead of redirecting to authorize endpoint

wongkeewee opened this issue 4 years ago · 2 comments

Hi Team,

We have a web application protected behind the NGINX OpenID Connect RP. Part of the web application is an URI consisting of APIs, for example one of the API is /webapp/api/search.

Is it possible to configure Nginx such that if the session is not authenticated or if the session has timed out, this particular URI /webapp/api/ returns a HTTP code of 401 instead of redirecting to the IDP's authorize endpoint?

In Apache mod_auth_openidc module, it is possible to achieve this using the OIDCUnAuthAction parameter
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L853

Is there a setting or Parameter in Nginx that can achieve this?

Answer 1 · 2022-02-20T09:02:57.000Z

Hi @wongkeewee the redirect happens because it is configured to catch all 401 http status code and kick off the OIDC flow.

In case we are talking for a special location that should handled differently, you can overwrite the error_page handler for this specific location.

 location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        location /webapp/api/{
           error_page 401 =  @noOIDC401;
        }
}

As the location is nested, it will still be protected by the auth_jwt directive, but the error handling will be different in this case.

Answer 2 · 2022-02-21T09:57:39.000Z

Hi @tippexs,

Thanks for the info!

We managed to configure the /api URI to return 401 instead of oidc redirect using the nested location