Nginx Recipes: Authorization via ESIA

To prepare authorization via the ESIA, we need nginx itself and its plugins encrypted-session , headers-more , auth_request , uuid4 , set-misc , echo , sign , jwt . (I gave links to my forks, because I made some changes that I haven’t yet been able to push through to the original repositories. You can also use a ready-made way .)

To get started, let's set

encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456"; 

Next, just in case, disable the authorization header

 more_clear_input_headers Authorization; 

Now we protect everything by authorization
')

 auth_request /auth; location =/auth { internal; set_decode_base64 $auth_decode $cookie_auth; #    set_decrypt_session $auth_decrypt $auth_decode; #    if ($auth_decrypt = "") { return 401 UNAUTHORIZED; } #    ,      more_set_input_headers "Authorization: Basic $auth_decrypt"; #    basic (   $remote_user) echo -n OK; #   } 

For authorized users, we show content from their folder.

 location / { alias html/$remote_user/; } 

And in the absence of authorization, we redirect to the ESIA

 error_page 401 = @error401; location @error401 { set $client_id ; #    set $scope openid; #    uuid4 $state; #    set_formatted_local_time $timestamp "%Y.%m.%d %H:%M:%S %z"; #  -     sign_certificate /data/nginx/esia.crt; #   (    ) sign_certificate_key /data/nginx/esia.key; #    sign_set $client_secret $scope$timestamp$client_id$state; #     set_escape_uri $access_type_escape online; #         set_escape_uri $client_id_escape $client_id; #   set_escape_uri $client_secret_escape $client_secret; #   set_escape_uri $request_uri_escape $request_uri; #    set_escape_uri $redirect_uri_escape $scheme://$server_name:$server_port/login?request_uri=$request_uri_escape; #      set_escape_uri $response_type_escape code; #      set_escape_uri $scope_escape $scope; #   set_escape_uri $state_escape $state; #   set_escape_uri $timestamp_escape $timestamp; #  - return 303 https://esia.gosuslugi.ru/aas/oauth2/ac?access_type=$access_type_escape&client_id=$client_id_escape&client_secret=$client_secret_escape&redirect_uri=$redirect_uri_escape&response_type=$response_type_escape&scope=$scope_escape&state=$state_escape&timestamp=$timestamp_escape; #    

After successful authorization of the user in the ESIA, he is redirected to the return address

 location =/login { auth_request off; #    auth_jwt_key /data/nginx/esia.pub file; #    (    )    auth_jwt $arg_code; #   auth_jwt_grant_set $oid urn:esia:sbj urn:esia:sbj:oid; #  oid     try_files /try?username=$oid; #     } location =/try { internal; if ($arg_username = "") { return 401 UNAUTHORIZED; } #  oid  ,      encrypted_session_expires 43200; #     12  (12 * 60 * 60 = 43200) set_secure_random_alphanum $password 8; #     basic  set $username_password ESIA-$arg_username:$password; #  basic  set_encode_base64 $username_password_encode $username_password; #  basic  set_encrypt_session $auth_encrypt $username_password_encode; #  basic  set_encode_base64 $auth_encode $auth_encrypt; #   basic  add_header Set-Cookie "Auth=$auth_encode; Max-Age=43200"; #   basic      12  (12 * 60 * 60 = 43200) set $arg_request_uri_or_slash $arg_request_uri; #     set_if_empty $arg_request_uri_or_slash "/"; #    ,   set_unescape_uri $request_uri_unescape $arg_request_uri_or_slash; #   return 303 $request_uri_unescape; #     }