Comments (21)
@willejs I have something in mind =)
from oauth2_proxy.
@willejs It's a little rough around the edges, but does jehiah/private_s3_httpd work for you?
from oauth2_proxy.
or go oauth_proxy
-> nginx
- > s3
(as an nginx upstream)
from oauth2_proxy.
Plain nginx upstream won't work for a private s3 bucket, which is the request here. I did think that for a second, but realized that there's not much cause to use oauth2_proxy (just) for a public s3 bucket.
from oauth2_proxy.
well let's just have a code review reunion in here...
paging @jlintz @jphines @mccutchen @dlotterman
from oauth2_proxy.
@ploxiln yes it would, you can use a s3 auth token. to request the file from the upstream and then serve it via nginx
from oauth2_proxy.
@sricola oh? point me to some docs for that as that would sort of obsolete the code i just wrote =)
from oauth2_proxy.
did someone call a top 2% python coder?
steps in
Yea @sricola is correct, you can actually proxy to s3 and set your tokens in the headers , here's a good example https://coderwall.com/p/rlguog/nginx-as-proxy-for-amazon-s3-public-private-files , assuming I understood things correctly
from oauth2_proxy.
nice, that's good to know.
from oauth2_proxy.
It looks like every access to S3 still requires a signature. That blog post suggests including the signature (and expires timestamp) as a parameter in all the public URLs (and then adding other needed headers/parameters in nginx).
from oauth2_proxy.
You can modify the request before passing it though the upstream within
Nginx - thereby adding the signature et al without having the original
request need it.
On Tuesday, July 7, 2015, Pierce Lopez [email protected] wrote:
It looks like every access to S3 still requires a signature. That blog
post suggests including the signature (and expires timestamp) as a
parameter in all the public URLs (and then adding other needed
headers/parameters in nginx).—
Reply to this email directly or view it on GitHub
#121 (comment).
srivatsa // [email protected]
from oauth2_proxy.
... but then nginx needs to know or calculate the signature needed for each file (it'll be different). So you'd need a location clause for each file, or an nginx plugin which can do that...
from oauth2_proxy.
😂
from oauth2_proxy.
Well. The signature is actually pretty trivial if you have the access
key/secret. Or you can use IAM roles and fetch credentials in realtime from
the instance meta data.
On Tuesday, July 7, 2015, Matt Reiferson [email protected] wrote:
[image: 😂]
—
Reply to this email directly or view it on GitHub
#121 (comment).
srivatsa // [email protected]
from oauth2_proxy.
http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html
On Tuesday, July 7, 2015, Srivatsa Ray [email protected] wrote:
Well. The signature is actually pretty trivial if you have the access
key/secret. Or you can use IAM roles and fetch credentials in realtime from
the instance meta data.On Tuesday, July 7, 2015, Matt Reiferson <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');> wrote:[image: 😂]
—
Reply to this email directly or view it on GitHub
#121 (comment)
.srivatsa // [email protected]
srivatsa // [email protected]
from oauth2_proxy.
ok yes it's not particularly hard, if you've installed the out-of-tree ngx_set_misc module to get set_hmac_sha1
and set_encode_base64
, and composed the string to sign correctly.
jlintz' "good example" link does not do these things. so I guess my point is that it's probably an equivalent amount of effort and config/deploy management to use something like private_s3_httpd
from oauth2_proxy.
LOL. I'd rather recompile a widely used open source package - with some extra options than write custom code to re-invent the wheel. Thats just me, and you don't have to agree with that viewpoint.
from oauth2_proxy.
It's ok @sricola private_s3_httpd now counts as a widely used open source package, so you can use that. No extra options or recompile needed. 😉
from oauth2_proxy.
I want to frame this thread and hang it on my wall.
💯 💯 💯
from oauth2_proxy.
@jehiah That code looks like it would work, for me, but...
It would be nicer if oauth2_proxy would support it as a backend too? is it out of scope for the project?
from oauth2_proxy.
@willejs Yeah, I've been pondering that. I think i'm landing on the side of "out of scope" in preference of keeping this focused on authentication not file serving.
from oauth2_proxy.
Related Issues (20)
- GitHub Authentication keeps valid after user is removed from org or team HOT 1
- V2.2 is complaining about the google oauth Json file
- will oauth2_proxy support PUT HOT 2
- help with scope setting for okta HOT 1
- HTTP Basic Auth and set-xauthrequest HOT 4
- oauth2_proxy failing on the callback url using oidc provider HOT 1
- failing with oidc provider discovery object
- Safari is not sending cookies when doing CORS requests
- set response_mode
- Recent update of golang.org/x/oauth2/google libraries caused TestRequestSignaturePostRequest to fail
- OIDC provider disappeared in `v2.2` without any notice. HOT 1
- how to handle the callback url and get the login google emaill account? HOT 1
- htpasswd auth not working HOT 2
- Integrating oauth2_proxy with AWS Cognito HOT 3
- Microsoft Azure AD B2C Support
- user-configured redirect URL clobbered in oauthproxy.go HOT 5
- oidc and scope
- Restrict auth to specific Google groups returning Invalid Account HOT 1
- 404 not found on redirect HOT 1
- Cookie Path Defaults to Root '/' Even when Using "proxy-prefix" option
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2_proxy.