Add the ability to secure proxy hosts with OpenID Connect

[Subv]

What is this?

This PR implements OpenID Connect authentication for proxy hosts using the lua-resty-openidc library, now that NPM uses OpenResty instead of vanilla nginx.

What is OpenID Connect?

OpenID Connect is an identity layer on top of OAuth2 that lets you do Single-Sign-On (SSO) using an identity provider (IdP) like Azure AD or KeyCloak.

How does this benefit me as an NPM user?

You will now be able to restrict access to your proxy hosts only to users who can successfully authenticate with the IdP. For example, only allow users in your Azure Active Directory to access your internal-tool.example.com subdomain.

Work in progress

I would like to ask for some help with the UI layout, it currently looks kind of out of place (screenshots below).

Future improvements

These are things that could be improved upon but will probably be added in a separate PR.

• Allow specifying additional scopes for the auth request instead of hardcoding openid email profile.
• Allow specifying extra id_token claims to pass to the backend application, or maybe simply forward the entire id_token.
• Support manually specifying the OpenID Connect endpoints when the discovery endpoint is not known or does not exist.
• Support other token auth methods, currently only client_secret_post and client_secret_basic.
• Support public clients that do not require a client secret.
• Add a visual indicator to the proxy lists to tell at a glance which hosts have OpenID Connect enabled.

Related issues

• Two-Factor Auth #313
• Add http authentication #205
• Ability to use Vouch Proxy as Access List / authentication provider #177
• oauth or client certificate authentication #69

How to use it

You will need a few things to get started with OpenID Connect:

• A registered application with your identity provider, they will provide you with a Client ID and a Client Secret. Public OpenID Connect applications (without a client secret) are not yet supported.

• A redirect URL to send the users to after they login with the identity provider, this can be any unused URL under the proxy host, like https://<proxy host url>/private/callback, the server will take care of capturing that URL and redirecting you to the proxy host root. You will need to add this URL to the list of allowed redirect URLs for the application you registered with your identity provider.

• The well-known discovery endpoint of the identity provider you want to use, this is an URL usually with the form https://<provider URL>/.well-known/openid-configuration.

After you have all this you can proceed to configure the proxy host with OpenID Connect authentication.

You can also add some rudimentary access control through a list of allowed emails in case your identity provider doesn't let you do that, if this option is enabled, any email not on that list will be denied access to the proxied host.

The proxy adds some headers based on the authentication result from the identity provider:

• X-OIDC-SUB: The subject identifier, according to the OpenID Coonect spec: A locally unique and never reassigned identifier within the Issuer for the End-User.
• X-OIDC-EMAIL: The email of the user that logged in, as specified in the id_token returned from the identity provider. The same value that will be checked for the email whitelist.
• X-OIDC-NAME: The user's name claim from the id_token, please note that not all id tokens necessarily contain this claim.

Screenshots

[jc21]

Docker Image for build 2 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[jc21]

Docker Image for build 3 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[jc21]

Docker Image for build 6 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[jc21]

Docker Image for build 7 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[jc21]

I've pulled the image and tried it out.

The first thing is that I can't save the proxy host when I filled out the open ID stuff. I did not enable the emails section, when I try to save the console tells me it's trying to focus a input that is not visible. When I then enable the emails, and then disable them, I can save. Seems like the emails are form-required without being shown.

The second thing is, and keep in mind I know a bit about oauth, the settings can be a little confusing. I've referred to your notes here in this PR to set something up with Auth0 so it might be worth adding a link to the online documentation later (after this PR).

Apart from that I was able to successfully set up Auth0 as a OpenID service :)

Just need to fix the form saving and that's it

[jc21]

Docker Image for build 9 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[darthdubu]

Wanted to say this looks incredible! This will be very well appreciated addition thanks for the hard work! Since I'm really excited for this feature I went ahead and just pulled the image github-pr-433 but I'm not seeing the OpenID config anywhere. Am I missing something?

[Subv]

@Ducky710 nginx is pretty aggressive with the frontend caching, try clearing it before accessing the admin interface

[darthdubu]

thanks for the quick response. I thought you were referring to my browser cache so I cleared that but if you mean cache inside the container do you know where it's stored? I looked around my directory but didn't see anything that was labelled obviously

[Subv]

I was indeed referring to the browser cache. I'm not sure why it doesn't show up for you if you've already cleared it, could you join the Gitter chat so we can troubleshoot better? https://gitter.im/nginx-proxy-manager/community

[jc21]

Docker Image for build 10 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-433

[BuethSam]

First, awesome feature. I am currently in the process of rolling out my SSO....

But I´m experiencing a problem when logging in. It works just fine on Chrome, but on Safari I get "
Safari can’t open the page. The error is: “The operation couldn’t be completed.(kCFErrorDomainCFNetwork error 303.)” (kCFErrorDomainCFNetwork:303)
".

I'm using Keycloak and its works fine on Jira(SAML), Confluence(SAML), Seafile(OpenID) etc.

Any Ideas?

[LouizFC]

@jc21 Any plans to merge this into master?

[joe307bad]

@jc21 @LouizFC I added the PR here #753 . I tested on my local machine and it seemed I just had to add defaults to the OIDC fields.

[Secarius]

Hi how can i install it with docker-compose?
What is the image i have to put in the docker-compose.yml?

Thank you very much

[NopeNix]

+1 on the previous post from @Secarius it is also unclear to me

[TheSander562]

@NopeNix and @Secarius
Here is the link for docker:
https://hub.docker.com/layers/jc21/nginx-proxy-manager/github-openidc/images/sha256-0bdd0845803d83f592c0c6824ce6a391dcb94b3dfb02a85b35faa8c36a9d0626?context=explore

If you just want to know image name to use in docker compose: jc21/nginx-proxy-manager:github-openidc

[elsbrock]

Any chance on getting this mainlined?

[Izooc]

Would also like to see this get mainlined.

[NopeNix]

Anyone able to get this working with Azure B2C ?

i dont know what you mean with B2C but it is generally possible to use Azure OIDC. i tested it about 2 month ago. make sure you are using the OpenIDC Branch of the project so you have the menu point for Open ID Connect in the interface. Good Luck!

[Hadatko]

+1

[vschwaberow]

+1

[sohelzerdoumi]

+1

[sascha-sphw]

+1

[vschwaberow]

+1

[reddwarf666]

Does this mean NPM is able to use/work with a tool like Pocket-id?
And if so, is there some document I can read and follow to get this implemented?