...
- Oauth2 information is only available to services that are "upstream" from the Oauth2 proxy. The upstream response code appears to be ignored (e.g., 401/403). The upstream can, however, set a cookie. This suggests that we will need our own authorization component in the auth pipeline.
- With the current configuration, nginx uses the oauth2_proxy as an "auth_request" provider. We will likely want to add our own authorization component
- nginx > oauth2_proxy > account creation component/token generator
- nginx > cauth
- nginx > authorization component > oauth2_proxy > account creation component/token generator
- Under this flow, nginx will pass the request to the authorization component (cauth?) which understands the token.
- If a token exists and is valid for the user's namespace, the user is authorized
- If a token does not exist, the request moves through the oauth2 workflow (login, create token and account record, if necessary)
Overview
Gliffy Diagram | ||
---|---|---|
|
...