[Feature request] Support NGINX's `auth_request` directly in Unit

[lolgab]

Can Unit support something like NGINX's auth_request without the need of running Unit behind a NGINX reverse proxy? Thank you!

[tippexs]

Hi @lolgab. At the moment, there is no nativ implementation of auth_request but I a little python helper app would do the trick. Is that an option? If so we could use this thread to discuss the options you have.

[lolgab]

@tippexs Yes, that may also work. I will try this route and let's see how it goes :)

[lolgab]

I don't know if this is doable or even meaningful, but a mechanism to delegate the handling to a different application ( listening in a different port ) could make it faster to implement such use case. In the specific case of auth_request you get a request then you call the endpoint that contains the auth_request validation and then, if the validation endpoint returned a 200, you redirect the request to another application running on another port. This means that the request is sent via HTTP, serialized, and then sent to Unit itself which parses it again, and sends it to the target application. You could avoid one serialization and one deserialization if Unit could "redirect" the request directly to another application. This idea, while would allow a nice optimization, would also increase the API surface for Unit which might be not so desirable. An auth_request implementation in NGINX Unit itself could make sense in the future.

[tippexs]

Thanks for sharing your idea. The most simple idea would be a implemenation with Cookies and the use of our routing matches. Another - more powerful - implemenation could be made by the use of njs. We have a beta version available using NJS on Unit. We could try to make it work with njs on unit. Whats the best use case? APIs or a real website in which we can add cookies for example?

[lolgab]

Sorry, I forgot to mention my specific use case! I want to delegate authentication to vouch-proxy, a microservice that handles authentication using the NGINX auth_request protocol. It is nice since you can centralize the authentication to multiple applications running in the same Unit. I haven't tried yet, but since it is written in Go, it might run in Unit as well.

[BradleyKirton]

Hi @tippexs, could you provide an example of what the unit configuration file would look like for your suggestion of using a python application for authentication?