Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm using a very lazy hack for authenticating web services by letting Apache check the OpenID auth state in the browser and redirecting to Keycloak's login page if the session expired.

It's like HTTP Basic Auth but with extra steps. It's basically these rules:

    OIDCCryptoPassphrase secretsecretsecret
    OIDCProviderMetadataURL https://keycloak.example.com/auth/realms/realmnamehere/.well-known/openid-configuration
    OIDCClientID my-web-server
    OIDCClientSecret secretsecretsecret
    OIDCRedirectURI https://example.com/authenticated/
    OIDCRemoteUserClaim preferred_username

    <Location /authenticated/>
        AuthType openid-connect
        Require valid-user
    </Location>
    
    <Location /sonarr/>
        AuthType openid-connect
        Require valid-user
    </Location>
    
    # Sonarr
    ProxyPass /sonarr http://localhost:8989/sonarr
    ProxyPassReverse /sonarr http://localhost:8989/sonarr
This basically ensures that if you try to visit https://example.com/sonarr you'll get redirected to Keycloak and asked to log in. It's the main reason I'm still running Apache instead of nginx because I haven't figured out an easy way to do this with nginx. I think you can do it with some custom LUA and an extension?


Looks like a Plus Feature, or in deed much config: https://developers.redhat.com/blog/2018/10/08/configuring-ng...


Yes, I believe the way to do it with the free version is to use this: https://github.com/zmartzone/lua-resty-openidc

You'd have to be careful with custom code like this, though, because it's very easy to try to get the server to send a redirect but end up sending actual content that just has its HTTP status code changed to 301. The example seems to fail with 500 instead of redirecting, that's one way to do it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: