所有入口请求的验证代理
我们想提供一个多租户应用程序,该应用程序根据子域确定租户。作为身份验证服务器,我们使用KeyCloak,其中每个租户都有自己的领域。
现在,我们要使用auth代理对我们的应用程序进行身份验证所有请求。如果请求已经进行了认证(它具有cookie),则应将请求转发给后端。如果尚未对请求进行身份验证(没有cookie),则应将请求转发到KeyCloak并根据子域的正确范围转发到正确的领域,并启动OAUTH流。成功登录后,应设置cookie,以便对所有后续请求进行身份验证。这正是 oauth2-proxy 提供的功能。但是,我们有进一步的要求,即我们有不同的领域来绘制单个租户的绘制。目前,OAuth2-Proxy是不可能的。
除了
谢谢
We would like to provide a multi tenant application that identifies the tenant based on a subdomain. As authentication server we use Keycloak, in which each tenant has its own realm.
Now we want to authenticate all requests to our application using a auth proxy. If the request is already authenticated (it has a cookie), the request should be forwarded to the backends. If the request is not yet authenticated (it does not have a cookie), the request should be forwarded to Keycloak and to the correct realm based on the subdomain and an oAuth flow should be initiated. After successful login, a cookie should be set so that all subsequent requests are authenticated. This is exactly the functionality offered by oauth2-proxy. However, we have the further requirement that we have different realms that map the individual tenants. This is not possible with oauth2-proxy at the moment.
Is there another solution besides oauth2-proxy that offers this functionality (possibly Nginx or a plugin for it)?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
OIDC插件
您可以使用 lua-raesty-openidc 任何基于LUA的NGINX系统,例如Kong或Openrestys。这是一个已建立的插件,与OAuth2-Proxy的工作相同。对于不同的路径,您可以具有多个配置的实例,代表不同的租户:
还有多种查看输入标准的方法,例如
onect> onectheader and Re-Route,可以很有用有时,尽管有学习曲线。设计
我会质疑您的设计。多个领域有效地意味着您的应用需要处理多个授权服务器,这是一个复杂的设置。例如,API需要验证多种类型的访问令牌。
的租户2数据。
如果可能的话,更喜欢使用单个授权服务器的解决方案,然后只需添加租户ID声明以访问令牌,然后确保API拒绝访问租户2 ://stackoverflow.com/questions/68909371/how-to-to-authenticate-users-from-different-realms-against-a-single-application>单个应用程序的多个领域如何访问数据。
OIDC PLUGIN
You could use lua-resty-openidc with any Lua based Nginx system, eg Kong or OpenResty. This is an established plugin that does the same job as oauth2-proxy. You can have multiple instances of it configured, for different paths, representing different tenants:
There are also various ways to look at input criteria, such as an
originheader and re-route accordingly, which can be useful sometimes, though there is a learning curve.DESIGN
I would question your design a little though. Multiple realms effectively means your apps need to deal with multiple authorization servers, which is a complex setup. Eg APIs need to validate multiple types of access token.
If possible, prefer a solution where you use a single authorization server and simply add a tenant ID claim to access tokens, then ensure that APIs deny access to tenant 2 data for users from tenant 1.
This related answer on multiple realms for a single application also discusses some trade offs around how data can be accessed.