OpenID Connect for NGINX

I have added support for OpenID Connect and OAuth 2.0 to the NGINX web server and put it up on github here:

You’ll notice that it uses the scripting language Lua to realize those features. At first glance it may not sound attractive to use a scripting language in a high-performance web server like NGINX but Lua can be compiled to byte-code so that it achieves “performance levels comparable with native C language programs both in terms of CPU time as well as memory footprint” and the scripting powers make up for a great deal. As a proof of that: a lot of widely used extensions to NGINX have been written in Lua.

Adding OpenID Connect support in this way was a lot easier than coding it in C as I did previously for the Apache mod_auth_openidc module. Lua comes with a wide range of standard and non-standard libraries that can be leveraged when implementing a simple REST/JSON extension like OpenID Connect, e.g.:

  • a JSON parser
  • crypto/random functions
  • server-wide caching based on shared memory
  • http client functions
  • encrypted session management framework

This allowed me to focus just on the core OpenID Connect functionality and to write a first version of this script in less than 2 days time, with most of my time spent learning Lua and NGINX… Also: robustness in a scripting language is a lot easier to achieve than in C (goodbye segmentation faults!). Ok, the implementation of OpenID Connect is very basic (read: Basic Client Profile only) right now but hopefully spec coverage will increase over the next months. And as a matter of fact this project shows how easy it is to write a basic OpenID Connect client in less than 400 lines of code.

Note that doing this in Lua also provides us with great flexibility in terms of access control: in fact all of the scripting power of Lua can be applied to create complex rules that act on the claims provided by the OpenID Connect id_tokenthe claims returned from the UserInfo endpoint or the results of access token introspection.

Happy OIDC-NGINXing!

This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to OpenID Connect for NGINX

  1. GKB says:

    Hi Hans:) I’m hoping to use this or something like it at some point to replace the keycloak security proxy – any known issues / limitations with it?

  2. I think there are 2, kind of, limitations that are worth mentioning: one is that it talks to a single provider only so no multi-provider setup is possible, the other is that it supports the Authorization Code grant type only. Other than that, no issues (famous last words).


  4. Above limitation of lua-resty-openidc module doesn’t exist in my openid module –

  5. Pingback: [Linkset] Authorization termination: OAuth reverse proxy | stokito on software

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s