All Articles

Using Auth0 with an OpenResty OIDC Reverse Proxy

The other day at work I had a prospect asking about a reverse proxy they could set up for a POC. One of the use cases was to protect a legacy application that couldn’t be updated.

To make it easy for them I set up a Dockerfile and config for use with OpenResty, connection to Auth0 with OIDC. The following is based on the guidance in this post as well as the lua-resty-openidc docs.

Here’s an example that proxies requests to a server while requiring authentication through Auth0:

FROM openresty/openresty:alpine-fat
RUN mkdir /var/log/nginx
RUN apk add --no-cache openssl-dev
RUN apk add --no-cache git
RUN apk add --no-cache gcc
RUN luarocks install lua-resty-openidc
RUN luarocks install lua-resty-session
ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]
view raw Dockerfile hosted with ❤ by GitHub
events {
worker_connections 128;
http {
lua_package_path '~/lua/?.lua;;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
server {
listen 8080;
location / {
access_by_lua '
local opts = {
redirect_uri_path = "/redirect_uri",
discovery = "https://<AUTH0_TENANT_DOMAIN>/.well-known/openid-configuration",
token_signing_alg_values_expected = "RS256",
client_id = "<AUTH0_CLIENT_ID>",
client_secret = "<AUTH0_CLIENT_SECRET>",
redirect_after_logout_uri = "https://<AUTH0_TENANT_DOMAIN>/v2/logout?client_id=<AUTH0_CLIENT_ID>&redirectTo=<URL_TO_REDIRECT_AFTER_LOGOUT>",
redirect_after_logout_with_id_token_hint = false
-- call bearer_jwt_verify for OAuth 2.0 JWT validation
local res, err = require("resty.openidc").authenticate(opts)
if err or not res then
ngx.status = 403
ngx.say(err and err or "no access_token provided")
proxy_pass <URI>;
view raw nginx.conf hosted with ❤ by GitHub

Testing With Docker

Using the above files you can test proxying an application through Auth0. Clients connect through the proxy and are redirected to Auth0 to complete the authentication process if they aren’t already authenticated.

Modify the nginx configuration

After setting up the application to proxy to in Auth0, update the nginx.conf with the following:

  • <AUTH0_TENANT_DOMAIN> - your Auth0 tenant’s domain (found in tenant settings)
  • <AUTH0_CLIENT_ID> - the client ID of the application in Auth0
  • <AUTH0_CLIENT_SECRET> - the client secret of the application in Auth0
  • <URL_TO_REDIRECT_AFTER_LOGOUT> - URL to redirect to after logging out of Auth0
  • <URI> - the URI of the application you want to proxy to

Build the Docker image

docker build -t authproxy .

Run the Docker image

docker run -d -it -p <LOCAL_PORT>:8080 -v $PWD/:/config -v /:/usr/share/nginx/html authproxy -c /config/nginx.conf

Replace <LOCAL_PORT> with the port on the host your proxy is running on.

Published 28 Oct 2019

Chris Scott