Howto integrate Vouch Proxy into a server side application for User Identification, Authentication and Authorization

[mamcx]

I'm looking for a way to secure my tenants APIs/Web Stores and want something that allow me to use my own tables/bussines logic but offload security elsewhere. A obvious choice is to use Auth0/Keycloak or something similar, but that provide challenging integration issues with my customers/apps (I'm in the enterprise sector).

Is this project something I can put on front of my apps/sites and gives a good security for it? I need to complement this with something else?

P.D: I'm aware I will need to code things like #359, this is what actually attract me to the idea of use this...

[bnfinet]

@mamcx VP does not replace Auth0 or Keycloak, it piggybacks on Authentication/login at those IdPs to provide Authorization / gatekeeper services. Does that make sense?

In addition some of the information provided by the IdP (Auth0, Keycloak, Google, ...) can be handed to an underlying web application as HTTP headers.

If there were any improvement to the README which would help to clarify that could you please suggest such.

[mamcx]

So, if I wanna get close to them, what exactly do I need to provide? For the link I put above, I need to validate the login myself and provide routes/UI, but I don't know if that is enough or exist some more steps.

So it will be nice to have a tutorial that implements a solution end-to-end.

[bnfinet]

@mamcx for posterity could you outline what you're trying to do in a bit clearer terms? I'm a little unclear on your architecture.

When you say

something that allow me to use my own tables/bussines logic but offload security elsewhere

it makes me think that you'd be fine with just doing as the README outlines and put your app behind Nginx with auth_request and VP. Your app could consume the X-Vouch-User HTTP header or any other claim as the README outlines.

So, if I wanna get close to them,

Could you please clarify what you're wanting here

[bnfinet]

@mamcx if you're no longer working this issue could you please close it

[mamcx]

So, if I wanna get close to them,

I mean, how and if this software is close to having Auth0 and how to make it so. I think what is not clear is the high-level example like "add auth to you API/blog/whatever" and see what extra steps I need to complete to connect to my backend/tables.

For example:

https://auth0.com/blog/build-an-api-in-rust-with-jwt-authentication-using-actix-web/

[bnfinet]

@mamcx unfortunately that isn't documented but it's pretty simple...

The /validate endpoint includes these headers by default with a successful response..

HTTP/2 200 OK
server: nginx/1.21.0
date: Tue, 14 Sep 2021 21:07:27 GMT
content-type: text/plain; charset=utf-8
content-length: 7
x-vouch-success: true
x-vouch-user: user@yourdomain.com

And these headers for 401 Unauthorized

HTTP/2 401 Unauthorized
server: nginx/1.21.0
date: Tue, 14 Sep 2021 20:59:55 GMT
content-type: text/plain; charset=utf-8
content-length: 24
x-vouch-error: no jwt found in request

Those headers would need to be passed to your app in an Nginx location block..

location / {
      proxy_pass http://127.0.0.1:8080;
      proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
      proxy_set_header X-Vouch-Success $auth_resp_x_vouch_success;
      proxy_set_header X-Vouch-Error $auth_resp_x_vouch_error;
      # see README for other claims or tokens you would care to pass
}

And then you would build logic into your app to key off the user, or forward back to /login, if those headers are present or not.

However, to be clear, VP does not provide it's own store of user information. You would need to use an IdP such as Auth0 for the actual authentication. In its primary use case VP uses authentication from an IdP to authorize access.

[bnfinet]

related: #432

[bnfinet]

@mamcx does that clarify things for you? If you have no further questions would you please close the issue.