Hello!
We have interfaces for facebook (OAuth2), apple, microsoft and google
(OpenID). The OpenID interfaces are quite similar, as they all are based
on JWTs.
The only thing we could no do directly in naviserver was the
verification of the signature with PEM and JWK. We are using a python
script for this (which of course is not optimal). Here is the script for
JWK:
#!/usr/bin/python2
'''
jwt signature verification.
'''
importsys
importjwt
importjson
defverify_jwt_signature(token, jwk, expected_audience=None):
# Load the public key
public_key = jwt.algorithms.RSAAlgorithm.from_jwk(jwk)
decoded_payload = jwt.decode(token, public_key,
algorithms=['RS256'], audience=expected_audience)
print(decoded_payload)
return1
if__name__ == "__main__":
iflen(sys.argv) < 3orlen(sys.argv) > 4:
print("Usage: python verify_jwt_script.py <public_key.jwk> <jwt_token>
[expected_audience]")
sys.exit(1)
jwk = sys.argv[1]
jwt_token = sys.argv[2]
expected_audience = sys.argv[3] iflen(sys.argv) == 4elseNone
verify_jwt_signature(jwt_token, jwk, expected_audience)
HMAC signatures work fine in navsiserver with ns_hmac.
Once you have JWT handling in place, OpenID is should be no problem. For
JSON processing we use rl_json and for everything else naviserver
internals, e.g. ns_base64urlencode and ns_base64urldecode and ns_crypto
for signing a request with PEM (which now also works without the PEM
temp file):
ns_crypto::md string-encoding base64url -digest SHA256 -sign $pem_file$txt
Regards,
Wolfgang
Am 05.05.25 um 19:12 schrieb Georg Lehner:
Hello,
Nginx has an "auth_request"[1] module, which allows to offload
authentication to an HTTP backend.
This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID
Connect authentication to (reverse proxied) applications which do not
implement authentication by themself. See configuration examples with
Keycloak[3] or authentik[4]
I believe, Naviserver would benefit from a compliant implementation of
this "authentication protocol" (and I would put it immediately into
operation).
How difficult would it be to implement this? Would this go into the
nsperm module or be rather implemented as a separate module?
- - -
Of course, replacing oauth2-proxy directly in Naviserver would be even
more efficient. E.g. Apache has its own mod_auth_openidc for this. But
I guess that's much harder to implent, and auth_request could also be
used with other creatively invented backends.
Best Regards,
Georg
[1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
[2] https://github.com/oauth2-proxy/oauth2-proxy
[3]
https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
[4]
https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
--
*Wolfgang Winkler*
Geschäftsführung
wolfgang.wink...@digital-concepts.com
mobil +43.699.19971172
dc:*büro*
digital concepts Novak Winkler OG
Software & Design
Landstraße 68, 5. Stock, 4020 Linz
www.digital-concepts.com <http://www.digital-concepts.com>
tel +43.732.997117.72
tel +43.699.1997117.2
Firmenbuchnummer: 192003h
Firmenbuchgericht: Landesgericht Linz
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
