15

I'm trying to figure out if it is possible to forward a query-parameter from the original URL to the auth_request handler/service?

Users should be able to add the API-token as a query-parameter like this: https://example.com/api/user?token=237263864823674238476

And not via header or cookie. Can I access the token parameter somehow in the auth-service? Or write the token query-parameter in a custom header with NGINX?
Tried this so far:

location = /api/user {
  auth_request /auth;
  proxy_set_header X-auth-token-from-query $arg_token;

  proxy_pass http://<url>;
}

/auth endpoint doesn't get the X-auth-token-from-query header but after returning a 200 the upstream-proxy does get the header.

Improve this question

3 Answers 3

Reset to default
21

You'll very likely want to pass the url (the uri) to the auth-request endpoint as well. You can do this in one go:

location = /api/auth {
  proxy_set_header X-Original-URI $request_uri;
  proxy_set_header X-Original-METHOD $request_method;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";

  proxy_pass http://<url>;
}

Bonus: I also passed the method! :tada:

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

13

The following worked for me

        location = /auth {
          internal;
          set $query '';
          if ($request_uri ~* "[^\?]+\?(.*)$") {
              set $query $1;
          }
          proxy_pass                http://myauthpoint?$query;
          proxy_pass_request_body   off;
          proxy_set_header          Content-Length "";
        }
Improve this answer

2 Comments

This one is best, since the query params are nicely passed. I had to make a small edit so that the full original path is passed... : myauthpoint$uri?$query;
Yessir, I was thinking on it since last few hours, even dynamic headers was not setted.... your solution made a job done. Thank you!
0

My use case:

  • I serve a reverse proxied API on /api/
  • I have some other resource on /protected I want to secure using a check on /api/auth-check which requires passing a token query parameter

Inspired by the answer of user1955986 I parse $request_uri, but in stead of directly proxying it somewhere else I use it to set the $args parameter that gets passed on to the API endpoint:

location ^~ /api/ {
    ... your API config ...
}

location ^~ /protected/ {
    auth_request /auth-request;
    ... your protected resource config ...
}

location = /auth-request {
    internal;
    if ($request_uri ~* "[^\?]+\?(.*)$") {
        set $args $1;
    }
    rewrite ^.* /api/auth-check last;
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.