Auth with Nginx and Keycloak - Do I need OAuth2 Proxy?
You need oauth2-proxy if the app does not already support Oauth/OIDC. You can use a native library with bespoke code to enable oauth, i which case you won’t need a proxy
You don't strictly need it. You can use whatever library for your framework and jump though the auth flow. Or handle it yourself server side and hand a session off to the user.
You'll also have trouble with it if you plan on supporting multiple tenants via realms because the issuer will differ between them.
When authenticating, there needs to be something on the server (backend) which authenticates and authorizes the request for the given route. You said you are using NGINX, but didn't explain what else (if anything) is part of your backend tech stack.
If you are solely using NGINX in your tech stack and have no custom code, then using OAuth2 Proxy or a similar project is your ONLY option. Make sure you I would put this in front of NGINX.
If you are using NGINX to forward some requests which are unauthenticated and some which are authenticated, and ALL authenticated requests go to a backend server where you wrote the code, then you could use a native library for OAuth2 for your code. For example, if your code is in C# then google "C# OAuth2 server library" and you'll find several options.
If you want every route to be authenticated, and some requests go to static files and others to another place, then you need OAuth2 Proxy because if you authenticate in server code then you'll not have authentication for those static files.
When authenticating, there needs to be something on the server (backend) which authenticates and authorizes the request for the given route
Thanks for your reply. Regarding the above sentence, why does there always need to be a backend server? I think this is not always the case, for example, with native mobile (Android, iOS) apps, there is no server, but one can still authenticate. Am I correct?
Again, this is wrong. You can perfectly still have nginx as the public-facing gateway and use its auth_request directive to forward authentication to oauth2-proxy from within. And this is by far the most popular setup on kubernetes installations, basically the standard.
Yep - thats perfectly possible, you dont need oaut2 proxy at all. You have two options:
Nginx+LuaJIT+lua-resty-oidc and keycloak.
This means little coding in lua but not big deal
2) Paid Nginx+ has a native auth_jwt module. Its fast and with other nginx+ features like integrated keyval is ultimate kombo for designing oidc rp proxy for example. On the other hand nginx plus subscription is expensive.
If you ned more information just ask me or pm
Is there a solution for using Apache instead of Nginx+LuaJIT+lua-resty-oidc?
Using Keycloak with Nginx for role-based access? Wondering if OAuth2 proxy is necessary or if Keycloak alone can handle it. Ideally, looking to avoid extra complexity.
You need oauth2-proxy if the app does not already support Oauth/OIDC. You can use a native library with bespoke code to enable oauth, i which case you won’t need a proxy
More replies More replies
You don't strictly need it. You can use whatever library for your framework and jump though the auth flow. Or handle it yourself server side and hand a session off to the user.
You'll also have trouble with it if you plan on supporting multiple tenants via realms because the issuer will differ between them.
More replies More replies
When authenticating, there needs to be something on the server (backend) which authenticates and authorizes the request for the given route. You said you are using NGINX, but didn't explain what else (if anything) is part of your backend tech stack.
If you are solely using NGINX in your tech stack and have no custom code, then using OAuth2 Proxy or a similar project is your ONLY option.
Make sure youI would put this in front of NGINX.If you are using NGINX to forward some requests which are unauthenticated and some which are authenticated, and ALL authenticated requests go to a backend server where you wrote the code, then you could use a native library for OAuth2 for your code. For example, if your code is in C# then google "C# OAuth2 server library" and you'll find several options.
If you want every route to be authenticated, and some requests go to static files and others to another place, then you need OAuth2 Proxy because if you authenticate in server code then you'll not have authentication for those static files.
Thanks for your reply. Regarding the above sentence, why does there always need to be a backend server? I think this is not always the case, for example, with native mobile (Android, iOS) apps, there is no server, but one can still authenticate. Am I correct?
More replies
Again, this is wrong. You can perfectly still have nginx as the public-facing gateway and use its
auth_requestdirective to forward authentication to oauth2-proxy from within. And this is by far the most popular setup on kubernetes installations, basically the standard.More replies
Yep - thats perfectly possible, you dont need oaut2 proxy at all. You have two options:
Nginx+LuaJIT+lua-resty-oidc and keycloak.
This means little coding in lua but not big deal
2) Paid Nginx+ has a native auth_jwt module. Its fast and with other nginx+ features like integrated keyval is ultimate kombo for designing oidc rp proxy for example. On the other hand nginx plus subscription is expensive.
If you ned more information just ask me or pm
Is there a solution for using Apache instead of Nginx+LuaJIT+lua-resty-oidc?
More replies
More replies
Using Keycloak with Nginx for role-based access? Wondering if OAuth2 proxy is necessary or if Keycloak alone can handle it. Ideally, looking to avoid extra complexity.