サービスへのAutenticar Nginx MedianteエルM


Imaginad que Estamos Montado una SerieデMicroservicios en雲実行dondeエルエンドポイントesアンnginx y no queremos tenerエルrestoデservicios p .

グーグルのノウハウについてservice-to-service . 完全な、c cは、mo hacemos esoエヌNginxをc?ピューレUSANO EL Mngx_http_auth_request_module エルエルnjs scripting language .
エル・C・ディック『ネグシタマム』
js_include conf.d/auth.js;

server {
    listen 80 default_server;
    server_name _;

    location / {
        auth_request /_oauth2;
        auth_request_set $authorization $sent_http_authorization;
        proxy_set_header Authorization $authorization;
        proxy_pass https://patinando-int-api-tfezajqgva-ew.a.run.app;
    }


    location = /_oauth2 {
        internal;
        js_content introspectAccessToken;
    }

    location = /_oauth2_send_request {
        internal;
        proxy_set_header  Metadata-Flavor Google;
        proxy_pass http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://patinando-int-api-tfezajqgva-ew.a.run.app;
    }
}
function introspectAccessToken(r) {

    r.subrequest("/_oauth2_send_request",
                 function(reply) {
                     if (reply.status == 200) {
                         r.headersOut['AUTHORIZATION'] = 'Bearer ' + reply.responseBody
                         r.status = 204;
                         r.sendHeader();
                         r.finish();
                     } else {
                         r.return(401);
                     }
                 }
                );
}
エヌNuestroカロnuestroサーシオインターノeshttps://patinando-int-api-tfezajqgva-ew.a.run.app Y si lanzamos un wget obtenemos un bonito 403 :
HTTP request sent, awaiting response… 
 HTTP/1.1 403 Forbidden
 Date: Sun, 03 May 2020 11:36:33 GMT
 Content-Type: text/html; charset=UTF-8
 Server: Google Frontend
 Content-Length: 295
2020–05–03 11:36:33 ERROR 403: Forbidden
Lo que estacos haciendo con este c di digo es decir que toda petici no n se tiene que autorizar con/_oauth2 que es una na lamama interna y contiene el c c didide de la function i n javascript
エルCは、JavaScript A suベスZ/_oauth2_send_request para obtener elトークン
パラポール・ウール・ラ・カセチェラの作品集
r.headersOut[‘AUTHORIZATION’] = ‘Bearer ‘ + reply.responseBody
Eaは、エヌL . Elエル位置チーフを必要とします
auth_request_set $authorization $sent_http_authorization;
proxy_set_header Authorization $authorization;
Si Ahora Hacemos Piciciones al Nginx la API Nos Devolver - en ' un 200
HTTP/1.1 200 OK
 Server: nginx/1.17.10
 Date: Sun, 03 May 2020 11:44:56 GMT
 Content-Type: application/json
 Content-Length: 5436
 Connection: keep-alive
 vary: Authorization
 x-powered-by: PHP/7.4.5
 cache-control: no-cache, private
リファレンス
  • https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/