Thank you for your docker image. I'm a complete novice to OAuth, but with your image I was able to successfully deploy a secured landing page and reverse proxy two web apps (that are in turn now also secured with Google OAuth).

I'm experiencing an odd problem and have no idea how to troubleshoot it. The signout URI works successfully in three different browsers (Firefox & Safari on macOS and Safari on iOS) but effectively does nothing in Chrome (macOS).

When following the /_signout URL in Chrome, the login token remains current and / simply reloads, still logged in.

It's hard to imagine that Chrome itself is the problem as the transaction is straightforward and should trigger the appropriate actions in the Docker image. And, yet, it's the only browser in which this does not work.

Any ideas?

Tried putting resolver 8.8.8.8 in nginx conf (not sure why ipv6=off is not working)

2016/12/08 15:41:44 [error] 4802#0: *344 [lua] access.lua:202: authorize(): got error during access token request: accounts.google.com could not be resolved (110: Operation timed out)

Please help.

I'm trying to have more than one email in the whitelist, but I don't now how to format the list. Try comas & whitespace but no luck.

I did look at the source, but I don't really speak Lua, so it was unclear if there was a solution for this.

I had been running without NGO_WHITELIST set, so while it required a user to login through google, there was no limiting who could log in. Today, I set NGO_WHITELIST to include a particular email account, and I was able to continue viewing contents. As a test, I signedout (_signout). Afterwards 403 errors, and there is no way to sign back in , so long as I have NGO_WHITELIST set. I have to stop my container, restart it without NGO_WHITELIST, (get credentials again), then restop the container and then restart it again with the NGO_WHITELIST value set.

Unfortunately this means the current behavior makes it impossible for me (or any other user) to make use of our websites, as its not possible to 'log in' unless you're already logged in.

I've installed the loa module on my raspberry pi 1 which i'm using as a reverse proxy.

I've tried to protect one of my locations via the oauth2 module:

  location ~ ^/(ifttt|_oauth) {
      set $ngo_client_id         "123demo.apps.googleusercontent.com";
      set $ngo_client_secret     "secret";
      set $ngo_token_secret      "mysecret";
      set $ngo_secure_cookies    "true";
      set $ngo_http_only_cookies "true";
      access_by_lua_file "/etc/nginx/lua/access.lua";
  }

And added the resolver and ssl config for lua.

After getting the request in /_oauth i get a returncode 500 and this error in the errorlog:

error] 4207#4207: *4 lua entry thread aborted: runtime error: /etc/nginx/lua/access.lua:64: attempt to index upvalue 'domain' (a nil value)
stack traceback:
coroutine 0:
        /etc/nginx/lua/access.lua: in function 'check_domain'
        /etc/nginx/lua/access.lua:92: in function 'on_auth'
        /etc/nginx/lua/access.lua:234: in function 'authorize'

I've also tried to specify a domain, but same result.
set $ngo_domainn "gmail.com";

Is this a config problem or a bug?

Hello,

I would like to provide custom location directives such as below but I do not understand how to provide them within the environment variable LOCATIONS. Would you have a small example?

location / {
  proxy_pass http://node:3000/;
}

Thanks!

Hi,

I'm currently playing with whitelist/blacklist functionality.

I want to whitelist some emails, and deny all the rest, how I do this ?

[email protected]
NGO_BLACKLIST=*

is i.e. not working

With

[email protected]

I can still access with [email protected]

With

[email protected]

I can no longer access with [email protected]

Can we have multiple domains (say, space separated) in $ngo_domain ?

Hi, thanks for this piece of work. It seems to be exactly waht I'm looking for.
Unfortunately I cannot get it to work.
I get the redirect to accounts.google.com but on the way back it seems to crash (sorry for not being more precise...)

I get an 403 and this in the logs

ccess.lua:202: authorize(): got error during access token request: no resolver defined to resolve "accounts.google.com", ...

I've got no idea what that means.

I configured a nginx reverse proxy and everything worked ok when I tested in a standard web page but when i try to make it work to an openstack dashboard, afer logon I'm getting a 401 Authorization Required

error.log file

2018/07/27 09:25:55 [error] 1311#0: *1 [lua] access.lua:103: received temporary failure in name resolution from https://accounts.google.com/o/oauth2/token, client: 10.10.1.10, server: openstack.domain.com, request: "GET /_oauth?state=https%3A%2F%2Fopenstack.domain.com%2F&code=4%2FAADynPaXKhvDJ_4bfB88kiO-OC_G0DWtjXjG1i-XY7sKou-5KF6i26Q39Su1CHHU_y-R1ls0qYqylFKbUwqTmfw HTTP/1.1", host: "openstack.domain.com", referrer: "https://accounts.google.es/"

oauth.conf file

some parts are oculted to security

worker_processes  1;

events {
    worker_connections  1024;
}

 http {
    server {
      server_name openstack.domain.com;
      listen 443;

      ssl on;
      ssl_certificate XXXXXX;
      ssl_certificate_key XXXXX;

      set $ngo_client_id "ID";
      set $ngo_client_secret "secret";
      set $ngo_secure_cookies "true";
      set $ngo_token_secret "secret";
      set $callback_host "openstack.domain.com";
      set $ngo_whitelist "whitelisted users";

      lua_code_cache off;
      access_by_lua_file "../access.lua";

#     header_filter_by_lua "ngx.header.content_length = nil";
#      body_filter_by_lua_file "../body_filter.lua";

  location / {
    header_filter_by_lua "ngx.header.content_length = nil";
    body_filter_by_lua_file "/etc/nginx/nginx-google-oauth/body_filter.lua";

    proxy_set_header Accept-Encoding "";
    proxy_pass https://openstack.domain.com/;

    }
}
}

There is something i missed?

Hello,

When I use the Docker image for nginx-google-oauth, everything works fine when I do not use SSL. However, when I use SSL, I see the error:

2017/08/12 02:12:41 [error] 8#0: *1 lua ssl certificate verify error: (20: unable to get local issuer certificate), client: IP_HERE, server: , request: "GET /_oauth?state=httpsURL_HERE&code=THE_CODE HTTP/1.1", host: "MY_HOST", referrer: "https://accounts.google.com/CheckCookie"

I have set the PORT environment variable to 443 ssl, as just 443 does not enable SSL. I am also using a custom version of /etc/nginx/sites-available/default, which is below:

lua_package_path '/etc/nginx/lua/?.lua;';

server {
    listen %port%;

    resolver 8.8.8.8 ipv6=off;

    lua_ssl_trusted_certificate /etc/nginx/certs/SOMETHING.ca.crt;
    lua_ssl_verify_depth        5;
    # TODO: add ssl_certificate and ssl_certificate_key here

    ssl_certificate     /etc/nginx/certs/SOMETHING.pem;
    ssl_certificate_key /etc/nginx/certs/SOMETHING.key;


    error_log /dev/stderr notice;
    access_log /dev/stdout;

    set_by_lua $ngo_callback_host '
      if os.getenv("NGO_CALLBACK_HOST") then
        return os.getenv("NGO_CALLBACK_HOST")
      else
        return ngx.var.host
      end
    ';

    set_by_lua $ngo_callback_scheme    'return os.getenv("NGO_CALLBACK_SCHEME")';
    set_by_lua $ngo_callback_uri       'return os.getenv("NGO_CALLBACK_URI")';
    set_by_lua $ngo_signout_uri        'return os.getenv("NGO_SIGNOUT_URI")';
    set_by_lua $ngo_client_id          'return os.getenv("NGO_CLIENT_ID")';
    set_by_lua $ngo_client_secret      'return os.getenv("NGO_CLIENT_SECRET")';
    set_by_lua $ngo_token_secret       'return os.getenv("NGO_TOKEN_SECRET")';
    set_by_lua $ngo_secure_cookies     'return os.getenv("NGO_SECURE_COOKIES")';
    set_by_lua $ngo_http_only_cookies  'return os.getenv("NGO_HTTP_ONLY_COOKIES")';
    set_by_lua $ngo_extra_validity     'return os.getenv("NGO_EXTRA_VALIDITY")';
    set_by_lua $ngo_domain             'return os.getenv("NGO_DOMAIN")';
    set_by_lua $ngo_whitelist          'return os.getenv("NGO_WHITELIST")';
    set_by_lua $ngo_blacklist          'return os.getenv("NGO_BLACKLIST")';
    set_by_lua $ngo_user               'return os.getenv("NGO_USER")';
    set_by_lua $ngo_email_as_user      'return os.getenv("NGO_EMAIL_AS_USER")';

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";

    expires 0;

    add_header Google-User $ngo_user;

    include /etc/nginx/snippets/demo-locations.conf;
}

I merely changed it to include the ssl_certificate and ssl_certificate_key statements. My Dockerfile adds SOMETHING.ca.crt, SOMETHING.pem, and SOMETHING.key to the /etc/nginx/certs/ directory. Please let me know if you see any issues, or if I need to do anything else. I have also tried not including the ssl_certificate or the ssl_certificate_key statements, but this did not work either.

Hello,

I followed all steps in order to make it to work and everything was just fine.

After I added the configuration text to my default.conf file I'm getting the following error when I visit the page in my browser.

error.log

017/04/10 15:36:12 [error] 26805#0: *1 lua entry thread aborted: runtime error: /usr/local/openresty/nginx/conf/access.lua:18: attempt to concatenate local 'cb_server_name' (a nil value)
stack traceback:
coroutine 0:
	/usr/local/openresty/nginx/conf/access.lua: in function </usr/local/openresty/nginx/conf/access.lua:1>, client: 190.215.222.225, server: _, request: "GET / HTTP/1.1", host: "34.207.73.69"

Here's the whole configuration file:

server {
    # Listen on port 80.
    listen 80 default_server;
    listen [::]:80 default_server;

    # The document root.
    root /usr/local/openresty/nginx/html/default;

    # Add index.php if you are using PHP.
    index index.html index.htm;

    # The server name, which isn't relevant in this case, because we only have one.
    server_name _;

    ### CUSTOM: Nginx Google Auth
    set $ngo_client_id      "-removed-";
    set $ngo_client_secret  "-removed-";
    set $ngo_token_secret   “-removed-”;
    set $ngo_secure_cookies "true";

    access_by_lua_file "/usr/local/openresty/nginx/conf/access.lua";
    ### CUSTOM: Nginx Google Auth

    # When we try to access this site...
    location / {
        # ... first attempt to serve request as file, then as a directory,
        # then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
   
   # Reverse proxy for Jenkins URI.
    location /jenkins {
        proxy_pass  http://172.31.39.122:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

I would appreciate any help, thanks.

after a successful google login I am redirected back to my app where the page throws a 403 error

Behavior is similar to #31 but I have this problem on both Chrome and Firefox and I've turned on dev tools to disable caching and no change.

When I first go to the nginx website using this module, it asks me to login via google but once I do that, I stay logged on forever (days). This is true on Chrome and Firefox. I haven't set the $ngo_extra_validity so I don't know why my cookie hasn't expired. I then added a href link to _signout and when I click that, I get a 302 for that _signout , then a 302 to / then a 302 to accounts.google.com and then a 302 back to my domain with _oauth?state=blah and finally a 200 to my root page. But no logout.

I'm not using the docker image, but installed this directly on my Raspberry Pi.

Thanks,

It is throwing an error while connecting to accounts.google.com

lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/resty/http.lua:136: attempt to call method 'sslhandshake' (a nil value)
stack traceback:
coroutine 0:
/usr/local/share/lua/5.1/resty/http.lua:136: in function 'ssl_handshake'
/usr/local/share/lua/5.1/resty/http.lua:789: in function 'request_uri'
/etc/nginx/auth/access.lua:105: in function 'request_access_token'
/etc/nginx/auth/access.lua:203: in function 'authorize'

[Since I don't know the upstreaming status of this repo against Agora Games's one, just copying to give visibility to agoragames/nginx-google-oauth#14]

G Suite has a Groups feature: https://support.google.com/a/answer/33329
Instead of white/blacklist or domain, membership of a G Suite Group would provide a more streamlined, granular and easy management of allowed users.
Also as done on bitly's oauth_proxy2

I'm trying to configure the nginx with a custom port.
For example:
https://server.com:8443/

But the callback, is always set to https://server.com/_oauth, instead of https://server.com:8443/_oauth.

I was able to do this by adding ngo_callback_host to server.com:8443, but with this I cannot use the localhost approach (using ngo.lol).

Our organization has its own Google domain for emails and the authentication works just fine for everyone with such an email address ([email protected]). However, we have a few external partners (freelancers etc.) with gmail.com email addresses ([email protected]) which we would also like to authenticate using Google OAuth.

We would like to keep using $ngo_domain such that all our employees (present and future) will be automatically authenticated, in combination with $ngo_whitelist for those few special users who have gmail.com addresses but not within our domain, like this:

set $ngo_domain "example.com";
set $ngo_whitelist "[email protected] [email protected]";

However, it seems that this is by design currently not possible since $ngo_domain is not respected if either $ngo_whitelist or $ngo_blacklist are set.

Hello,

According to http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html, there is a vulnerability with Nginx 1.6.2 that you use. Can you please upgrade the Nginx binary you're installing to version 1.13.3, which fixes this problem?

On V1.1.1, running into exception unknown directive "lua_package_path" in /etc/nginx/nginx.conf when creating nginx pod.
Specifying the absolute file path to lua in http block in nginx.conf works fine in V1.1 but not V1.1.1

http {
    lua_package_path "/etc/nginx/lua/?.lua;;";

Has there been any changes to loading the nginx-lua package?

Unless you know Lua, using this project is more difficult to use than it should be.

It needs to be mentioned in the documentation that some of the variables, such as $ngo_domain, are non-optional and need to be set, at least to the empty string otherwise you get a traceback where lua complains about calling len() on a nil value.

More subtle is how to deal with lua ssl certificate verify error: (20: unable to get local issuer certificate), which is caused by use of resty.http and thus you need to provide:

lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

The implementation uses the the redirect_url as state param. The returned state is never checked anyway. state should be a random nonce to prevent CSRF attacks.

Hi

We need to whitelist some internal IPs ... how to achieve this?
i'm trying this, but does not seem to work:

allow 192.168.1.1/32;
satisfy all;

If there is no support for this, how about adding $ngo_whitelist_ip and $ngo_blacklist_ip , that will bypass oauth and always return 403 respectively

Hi!

I'd like to access the same app protected by google-oauth through nginx-google-oauth through the CLI/programatically.

I'm wondering if I could use a Google Service Account (2-legged oauth) to access the protected app?

I've searched around in the documentation (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and from what I understood, it's only meant to access Google APIs.

Thanks!