DEVHIDE
Login Or Sign up

Rewriting Authorization header, fixing typo before jwt validation in Nginx Plus

2.7k Views Asked by At

I have an app-facing Nginx Plus (R22) gateway, which is validating JWT token in Authorization header. Lately I found one of our legacy mobile apps had a bug in which the authorization header has a typo: it was missing a space between the bearer keyword and the token. (example: bearereyJ...)

I used a simple map to make sure I add a space, and set it inside $authorization variable, which works fine:

map "$http_authorization" $authorization {
    ~*^bearer(?<token>(.*))$ "bearer $token";
    default $http_authorization;
}

I also set the Authorization header in my location, but my request is still getting rejected and I keep getting 401, even though upon reviewing, the token is valid.

location ~ ...{
 proxy_set_header Authorization $authorization;

 proxy_pass ...;
}

How can I make sure I rewrite the header before the JWT validation happens?

Having asked that, my current approach as a workaround would be to set up two locations, one would rewrite the header and will not validate the token, then proxy to another location which will check the modified header and proxy to its destination. Is it a good approach?

Thanks in advance!

nginx nginx-reverse-proxy nginx-location nginx-config
Original Q&A
2

There are 2 best solutions below

1
On

Here's the workaround I had to do in order to make this work:

  1. Setup header rewrite inside http block, to make sure there's a space between the bearer word and the token:
map "$http_authorization" $authorization {
    ~*^bearer(\s*)(?<token>(.*))$ "bearer $token";
    default $http_authorization;
}
  1. proxy from one location to another, one unauthenticated that rewrites the header, then proxy to another location that actually authenticates:
location ~ ... { 
 auth_jwt off;
 proxy_set_header Authorization $authorization;
 proxy_pass http://$upstream/reauthenticate/$request_uri;
}

location ~ /reauthenticate/(?<original_uri>(.*)){
  proxy_pass http://$upstream/$original_uri;
}
0
On

While we did not end up using this solution, I do think it's better to have this somewhere just in case someone will be looking for it in the future. This is the Better solution I was looking for, and would avoid the 499 status code:

    map $http_authorization $token {
        "~^Bearer\s?(.+)$" $1;
    }
    ...
    auth_jwt "test" token=$token;

Related Questions in NGINX

Related Questions in NGINX-REVERSE-PROXY

Related Questions in NGINX-LOCATION

Related Questions in NGINX-CONFIG

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.