Nginx auth_request oauth sso backend


This is a backend server for oauth authentication with Nginx auth_request module.


TODO: List C libraries that required to install

git clone
shards build


Before start, edit the config.yml as you need.

First, run this server with ways you like. For example, with systemd like:

Description=Nginx OAuth SSO Auth Backend

WorkingDirectory=<path to cloned location>
ExecStart=<path to cloned location>/bin/server


Then, configure your nginx to use it. (Require to install auth_request module for Nginx first. Please follow instruction of your distribution.)

upstream oauth_sso_auth {
    server; # the same as bind in config
    keepalive 8; # adjust this as required, or remove to disable keepalive for backend connections.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # must be the same as prefix in config, or you may need more configuration.
    location /oauth_sso_auth/ {
        proxy_pass http://oauth_sso_auth;
        proxy_set_header Host $host; # required, or redirect won't work correctly.
        # make this endpoint only accessible to nginx internally, maybe not required?
        location /oauth_sso_auth/check {
            proxy_pass http://oauth_sso_auth;
            proxy_set_header Host $host;
            # this sets auth rule
            # in format of "<OAuth Attribute>|<Operator>|<Required Value>" (don't put any whitespace.)
            # <OAuth Attribute>: attribute that you want to check
            # <Operator> : "=" or "~"
            # "=" => equals, for String/Number
            # "~" => includes, for Array, can match multiple value, sperate values with ","
            # the following will check for "roles" if includes "admin"
            proxy_set_header X-AuthRule "roles|~|admin";

    # 401 page, redirect to sso login page
    # query string $request_uri is for bring user back to the page before login
    location @oauth_sso_auth_401 {
        return 302 /oauth_sso_auth/login?$request_uri;

    location / {
        error_page 401 = @oauth_sso_auth_401;
        # this is for cookie refresh
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header set-cookie $auth_cookie;

        <normal nginx config here>

    location /god_only/ {
        error_page 401 = @oauth_sso_auth_401;
        # you can also defile auth rule here, put the rule after check as subpath
        auth_request /oauth_sso_auth/check/username|=|god;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header set-cookie $auth_cookie;

        <normal nginx config here>


TODO: Write development instructions here


  1. Fork it ( )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request


Github statistic:
  • 0
  • 0
  • 0
  • 1
  • 0
  • 2 months ago


MIT License