search

TeskaLabs / seacat-auth

SeaCat Auth provides authentication, authorization, identity management, session management and other access control features.
GNU General Public License v3.0
11 stars 7 forks source link

Authorization for websocket requests #300

Closed byewokko closed 10 months ago

byewokko commented 10 months ago

see http://gitlab.teskalabs.int/ateska/webui-microfrontends-poc/-/merge_requests/85

Changes

Auth request caching

Nginx proxy_cache_key should concatenate the Authorization and Sec-WebSocket-Protocol headers:

proxy_cache_key       "$http_authorization $http_sec_websocket_protocol";

Full introspection location example:

location = /_oauth_introspect {
    internal;
    proxy_method          POST;
    proxy_set_body        "$http_authorization";
    proxy_set_header      X-Request-Uri "$scheme://$host$request_uri";
    proxy_pass            http://seacat_private_api/nginx/openidconnect/introspect?client_id=some-client;
    proxy_ignore_headers  Cache-Control Expires Set-Cookie;

    # Cache successful introspection responses
    proxy_cache           oauth_responses;
    proxy_cache_key       "$http_authorization $http_sec_websocket_protocol";
    proxy_cache_lock      on;
    proxy_cache_valid     200 30s;
}
ateska commented 10 months ago

Aligned at https://github.com/TeskaLabs/asab-maestro-library/blob/3d6f283d0f1df25df9b3a9bbad5b6d5f8f5da7cf/Site/ASAB%20Maestro/Descriptors/seacat-auth.yaml#L81

@eliska-n