Hello,
Nginx has an "auth_request"[1] module, which allows to offload
authentication to an HTTP backend.
This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID Connect
authentication to (reverse proxied) applications which do not implement
authentication by themself. See configuration examples with Keycloak[3]
or authentik[4]
I believe, Naviserver would benefit from a compliant implementation of
this "authentication protocol" (and I would put it immediately into
operation).
How difficult would it be to implement this? Would this go into the
nsperm module or be rather implemented as a separate module?
- - -
Of course, replacing oauth2-proxy directly in Naviserver would be even
more efficient. E.g. Apache has its own mod_auth_openidc for this. But I
guess that's much harder to implent, and auth_request could also be used
with other creatively invented backends.
Best Regards,
Georg
[1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
[2] https://github.com/oauth2-proxy/oauth2-proxy
[3]
https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
[4]
https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
