\n
![](\"https:\/\/jirak.net\/wp\/wp-content\/uploads\/2016\/09\/jwt-openid-connect-sso-flow.png\")
<\/p>\nAuthenticating Users to Existing Applications with OpenID\u00a0Connect and NGINX\u00a0Plus
\n<\/p>\n
OAuth 2.0 has done much to transform the flexibility and user experience of authenticating to websites and applications. But despite the name, the OAuth 2.0 specification<\/a> says very little about verifying end‑user identity and nothing about single sign‑on (SSO). That\u2019s where OpenID Connect<\/a> comes in – it is essentially the missing piece that carries identity information in OAuth 2.0 access tokens.<\/p>\n OpenID Connect identity tokens comply with the JSON Web Token (JWT) specification<\/a>. JWT (pronounced \u201cjot\u201d) tokens are compact, easy to pass around, and provide a common core schema for describing identity information. The great thing about JWTs is that they can be applied to almost any identity use case, from authenticating API clients to providing SSO for enterprise applications. In fact, many organizations that use Google Apps can utilize Google as the identity provider to provide SSO to their enterprise applications<\/a>. That said, the use of OpenID Connect and JWTs does not prevent them being used to authenticate to, or provide SSO for, existing web applications.<\/p>\n NGINX Plus R10 and later includes native JWT support, enabling NGINX Plus to validate tokens and decorate upstream requests with the identity of the authenticated user in a way that the application can easily consume. In this blog post we demonstrate how to use the native JWT support in NGINX Plus to enable SSO for existing applications without any changes required to the applications themselves. We’re using Google as the identity provider and a simple website to represent the application. The end‑to‑end flow looks like this:<\/p>\n Our example has two components: the NGINX Plus configuration and the HTML login page.<\/p>\n The NGINX Plus configuration for validating JWTs is very simple.<\/p>\n location \/private\/ { <\/code><\/p>\n The The <\/code><\/p>\n To keep this example simple and straightforward, we aren’t building an entire application. Instead we’re using the following basic HTML to create a login page. The HTML file is called \/var\/www\/public_html\/index.html<\/strong> (this matches the <\/code><\/p>\n We’ve highlighted two key dependencies in the With these pieces in place we now have a public homepage with Google\u2019s login mechanism and a private area protected by NGINX Plus. Note that we didn\u2019t create any content for our private area so a For details about advanced JWT functionality, see Authenticating API Clients with JWT and NGINX Plus<\/a>. It explains how to proxy authenticated requests with user identity information obtained from the JWT, log JWT claims, and support multiple identity providers.<\/p>\n To explore the native JWT support in NGINX Plus R10 and later for yourself, start your free 30‑day trial<\/a><\/span> today or contact us<\/a> for a live demo.<\/p>\n Access the Google Developer’s Console at https:\/\/console.developers.google.com\/start<\/a>.<\/p>\n The page that opens depends on your history with Google APIs. You might have to create an account, accept terms of use, and perform other steps not shown in these instructions. <\/p>\n Ultimately you need to access the Google APIs dashboard<\/a>. The following screenshot shows the upper left corner of the dashboard. Click the word to the right of the Google APIs<\/strong> logo (if you have previously created a project, its name might appear instead of the word Project<\/strong>). Select Create project<\/strong>.<\/p>\n Create a new project. Here our new project is called NGINX OpenID<\/strong>. After you click the Create<\/strong> button, it can take several seconds before a notification appears indicating your project has been created.<\/p>\n Enable the Google+ API for your project. It provides OAuth 2.0 authentication and identity services.<\/p>\n (If the API Manager dashboard doesn’t already appear in the main part of the window, click Dashboard<\/strong> in the navigation area on the left of the screen.)<\/p>\n The first step in enabling the Google+ API is to click the ENABLE API<\/strong> button.<\/p>\n Click Google+ API<\/strong> (in the Social APIs<\/strong> section).<\/p>\n Click the ENABLE<\/strong> button.<\/p>\n To create credentials for your project, click Credentials<\/strong> in the navigation area on the left of the screen, then click the Create Credentials<\/strong> button.<\/p>\n Select OAuth client ID<\/strong> on the drop‑down menu.<\/p>\n Select the Web application<\/strong> radio button. In the Authorized JavaScript origins<\/strong> field, specify the URL for the host where NGINX Plus is installed and the port number you specified as the parameter to the Click the Create<\/strong> button (you might need to click it more than once to make the creation process start).<\/p>\n The OAuth client<\/strong> window pops up to report your client ID and client secret. Copy the client ID to the On main Credentials<\/strong> screen, click OAuth consent screen<\/strong>. Provide your email address and a product name (all other fields are optional).<\/p>\n To explore the native JWT support in NGINX Plus R10 and later for yourself, start your free 30‑day trial<\/a><\/span> today or contact us<\/a> for a live demo.<\/p>\n The post Authenticating Users to Existing Applications with OpenID Connect and NGINX Plus<\/a> appeared first on NGINX<\/a>.<\/p>\n Source: Authenticating Users to Existing Applications with OpenID\u00a0Connect and NGINX\u00a0Plus<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Authenticating Users to Existing Applications with OpenID\u00a0Connect and NGINX\u00a0Plus Using JWT support to provide SSO for existing applications OAuth 2.0 has done much to transform the flexibility and user experience of authenticating to websites and applications. But despite the name, the OAuth 2.0 specification says very little about verifying end‑user identity and nothing about single sign‑on (SSO). That\u2019s where OpenID Connect comes in – it is essentially the missing piece that carries identity information in OAuth 2.0 access tokens. OpenID Connect identity tokens comply with the JSON Web Token (JWT) specification. JWT (pronounced \u201cjot\u201d) tokens are compact, easy to pass around, and provide a common core schema for describing identity information. The great thing about JWTs is that they can be applied to almost any identity use case, from authenticating API clients to providing SSO for enterprise applications. In fact, many organizations that use Google Apps can [ more… ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":10136,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[169],"tags":[652],"class_list":["post-10135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-nginx"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/10135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=10135"}],"version-history":[{"count":1,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/10135\/revisions"}],"predecessor-version":[{"id":10137,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/10135\/revisions\/10137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media\/10136"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=10135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=10135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=10135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Diagram](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/jwt-openid-connect-sso-flow.png\")
Enabling OpenID Connect for Your Web Application<\/h2>\n
NGINX Plus Configuration<\/h3>\n
server {
\n listen 80;
\n root \/var\/www\/public_html;<\/p>\n
\n auth_jwt \"Google account\" token=$cookie_auth_token;
\n auth_jwt_key_file \/etc\/nginx\/google_certs.jwk;
\n }
\n}<\/pre>\nlocation<\/code> block specifies that any requests to URLs beginning with \/private\/<\/strong> must be authenticated. The auth_jwt<\/code><\/a> directive defines the authentication realm that will be returned (along with a 401<\/code>) if authentication is unsuccessful, and where in the request NGINX Plus can find the JWT. In this case it expects to find the token in a cookie named auth_token<\/strong>. By default, NGINX Plus expects clients to present the JWT as a Bearer Token<\/em><\/a>, using the Authorization<\/code> header as is common with AJAX applications and API clients<\/a>, but it can also obtain the JWT from other HTTP headers, query string arguments, or a cookie as in this example.<\/p>\nauth_jwt_key_file<\/code><\/a> directive tells NGINX how to validate the signature element of the JWT. Signature validation ensures that the JWT was issued by Google and has not been modified since. Google publishes its public keys<\/a> and refreshes them regularly. To maintain an up‑to‑date set of keys, use cron(8)<\/code> to fetch them hourly, as in this sample crontab<\/code> entry.<\/p>\n0 * * * * wget https:\/\/www.googleapis.com\/oauth2\/v3\/certs -O \/etc\/nginx\/google_certs.jwk<\/pre>\nHTML-Based Login Page<\/h3>\n
root<\/code> path we defined in the NGINX Plus configuration).<\/p>\n<html>
\n<head>
\n <meta http-equiv=\"cache-control\" content=\"no-cache\" \/>
\n <meta http-equiv=\"expires\" content=\"0\" \/>
\n <title>NGINX OpenID Connect demo<\/title>
\n <script src=\"https:\/\/apis.google.com\/js\/platform.js\" async defer><\/script>
\n <meta name=\"google-signin-scope\" content=\"profile email\">
\n <meta name=\"google-signin-client_id\"
\n content=\"client-ID<\/em>.apps.googleusercontent.com<\/strong><\/span>\">
\n <script src=\"https\/\/tools.ietf.org\/js.cookie.js\"><\/script><\/strong><\/span>
\n<\/head>
\n<body>
\n <h2>NGINX OpenID Connect demo<\/h2>
\n <hr\/>
\n <h3>Login with a Google account then visit the <a href=\"\/private\/\">private area<\/a>.<\/h3>
\n <table><tr><td>
\n <div class=\"g-signin2\" data-onsuccess=\"onSignIn\" data-theme=\"dark\"><\/div><\/td>
\n <script>
\n function onSignIn(googleUser) {
\n var profile = googleUser.getBasicProfile();
\n Cookies.set('auth_token', googleUser.getAuthResponse().id_token);
\n document.getElementById('google_signout').innerHTML = '<a href=\"#\" onclick=\"signOut();\"><img src=\"' + profile.getImageUrl() + '\" width=32 height=32>Sign out<\/a>';
\n };
\n function signOut() {
\n var auth2 = gapi.auth2.getAuthInstance();
\n auth2.signOut().then(function () {
\n Cookies.remove('auth_token');
\n document.getElementById('google_signout').innerHTML = '';
\n });
\n }
\n <\/script>
\n <td><div id=\"google_signout\"><\/div><\/td>
\n <\/tr><\/table>
\n <hr\/>
\n<\/body>
\n<\/html><\/pre>\n<head><\/code> block. <\/p>\n\n
<meta name=\"google‑signin‑client_id\"><\/code> tag – We are using Google\u2019s OAuth 2.0 JavaScript API<\/a> to perform the OAuth 2.0 end‑user consent and authentication process. This is what gives us the login button and can detect whether we are logged in or not. In order for our website to be authenticated by Google, we need to create an OAuth 2.0 client ID and provide that as the content<\/code> attribute to this tag, replacing the client-ID<\/code><\/em><\/strong> placeholder. For instructions on creating a new OAuth 2.0 client ID, see the Appendix<\/a> at the bottom of this article.<\/li>\n<script src=\"https\/\/tools.ietf.org\/js.cookie.js\"><\/code> tag – We need a cookie parser that can extract the identity token from the OAuth 2.0 access token and create a cookie to be sent to the website. The line Cookies.set<\/code> accomplishes this, using the JavaScript Cookie<\/a> library, which is included with the this tag.<\/li>\n<\/ul>\n404<\/code> error is to be expected when we try to access it.<\/p>\nFurther Reading<\/h2>\n
\nAppendix – Creating a Google OAuth 2.0 Client ID<\/h2>\n
\n
![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-create-project.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-new-project.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-enable-api.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-select-api.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-google-api-enable.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-create-credentials.png\")
\n<\/li>\nlisten<\/code> directive in Enabling OpenID Connect for Your Web Application<\/a> (for example, mydomain.example.com:80<\/strong>). This example uses localhost but your entry needs to be the hostname and port of the actual NGINX Plus instance.<\/p>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-create.png\")
\n<\/li>\ncontent<\/code> attribute of the <meta name=\"google-signin-client_id\"><\/code> tag in your app (replacing the highlighted client-ID<\/code><\/em><\/strong> placeholder shown above). You do not need the client secret.<\/p>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-secret.png\")
\n<\/li>\n![\"When](\"https:\/\/assets.wp.nginx.com\/wp-content\/uploads\/2016\/09\/google-oauth2.0-client-id-consent-screen.png\")
\n<\/li>\n<\/ol>\n