Simple SSO system for nginx based on cookies and ECDSA
Go Nginx Makefile
Latest commit afb39b5 Sep 23, 2015 @heipei Update TECHNICAL and README
Permalink
Failed to load latest commit information.
etc Licensing Sep 17, 2015
run restructure May 25, 2015
ssocookie Licensing Sep 17, 2015
tools Licensing Sep 17, 2015
.gitignore Restructuring Aug 24, 2015
LICENSE Licensing Sep 17, 2015
Makefile Example nginx.conf, ssoauth using headers Aug 27, 2015
README.md Update TECHNICAL and README Sep 23, 2015
TECHNICAL.md Update TECHNICAL and README Sep 23, 2015
TODO.md Rewrite some of the README.md Sep 17, 2015
ssoauth.go Licensing Sep 17, 2015
ssologin.go TECHNICAL.md design document Sep 17, 2015

README.md

nginx-sso - Simple offline SSO for nginx

nginx-sso is a simple single-sign-on (SSO) solution to be used with nginx and the nginx auth_request module. It uses ECC public key signatures and cookies to authenticate users in an offline fashion, as far as the service provider is concerned.

With nginx-sso you can:

  • Authenticate users and check session validty
  • Authorize users to access specific resources
  • Provide authenticated information about the user to your backend application
  • Allow your application server to effectively stay offline

You can use it by deploying a single (static) binary and a config to a stock nginx instance.

Overview

nginx-sso works by creating a session cookie sso. This cookie contains information about the user, the expiry date of his session and the IP of the client which logged in. Furthermore, the cookie contains an ECDSA signature which protects the integrity of the payload during login. In our case, the ssologin tool has the necessary ECC private key and creates the cookie and the signature after a successful login.

The ssologin tool has to be customized to your own login architecture. It requires customization to accomodate your user-credential store (be it LDAP, htdigest, OAuth, homebrew). The common denominator is that it expects a non-empty string for the username and an optional group-string (comma-delimited). These two values will be encoded in the sso cookie.

Any service in the possession of the corresponding public key can then use the information stored in the sso cookie. With nginx-sso, this is done by the ssoauth tool. This tool is our authentication endpoint queried by nginx. The ssoauth tool takes the sso cookie, verifies its integrity and freshness (using the attached signature) and finally checks the username and groups against a list of ACL entries for different vhosts. If all of these checks pass, it will return the username, groups and expiry time of the cookie to the nginx frontend, which can pass it on to your application in the form of a plain HTTP header. Your application could then use this header to find the user in its own user database which could contain additional attributes (e.g. roles, contact info, etc).

More information can be found in the file TECHNICAL.md.

Building

For now, use the Makefile by calling make. The ssologin.go is meant to be an example on how to use the nginx-sso system to set the sso cookie during login.

Getting started

There is an example nginx.conf in etc/

  1. Start nginx: ~/local/sbin/nginx -c $PWD/etc/nginx.conf
  2. Generate a keypair using the ecc.go tool in tools/
  3. Start ssoauth: ./ssoauth -config etc/ssoauth.json
  4. Start ssologin: ./ssologin -config etc/ssologin.json
  5. Add login.domain.dev and auth.domain.dev to 127.0.0.1 to /etc/hosts
  6. Browse to http://username:password@login.domain.dev:8080/login
  7. Browse to http://auth.domain.dev:8080/secret

Contributing

nginx-sso is a work-in-progress and should not be used for production applications. It is the first application I've developed in golang. I'd like to get some help to improve the codebase and make it more adaptable to other setups. Please consider forking the repository and creating a pull-request on Github.

Author

nginx-sso was written by Johannes Gilger. Any additional contributors will be listed here.

License

nginx-sso is licensed under the GNU General Public License v2. See the file LICENSE for details.