Forward Authentication to Authgear Resolver Endpoint
Authenticate the incoming HTTP requests by forwarding Authentication to Authgear Resolver Endpoint
In this section, we will explain how to set up a reverse proxy in NGINX to protect your app server from unauthorized access with the Authgear resolver. You can forward the requests without the request body to the resolver endpoint. Authgear will look at the Authorization
and Cookie
in the HTTP header, verify the token, and respond to HTTP 200 with X-Authgear-
headers for session validity, the user id...etc.
If you use a popular reverse proxy on your deployment, such as NGINX, Traefik, or API Gateways such as Apache APISIX, you can configure it with a few simple lines of forward auth config. Your backend should read the returned headers to determine the identity of the user of the HTTP request.
You can also use the forward authentication features of the other popular reverse proxy. e.g.
Authgear Resolver Endpoint
Authgear provides an endpoint for forward authentication. Subrequests should be made to the following endpoint for authentication.
https://<your_app_endpoint>/_resolver/resolve
How Forward Authentication Works
After the user is logged in, send an application request to your server from the client app with access token/cookies.
Set up a reverse proxy in your infrastructure to authenticate HTTP requests. The reverse proxy will forward the incoming HTTP requests without the request body to the Authgear Resolver Endpoint.
Authgear resolver parses the access token and returns HTTP headers including the user login state. The headers are starting with
x-authgear-
.You have to instruct your reverse proxy to include those extra headers, before forwarding the request to your backend server.
Your backend server looks at the headers and responds to the client app accordingly. e.g. Returns the user's content or HTTP 401 if the user is not logged in.
There are so many reverse proxies available in the wild. So here we are going to illustrate the idea of using Nginx as the reverse proxy.
Using Nginx as the reverse proxy
We will use the module auth_request
in NGINX. The module is not built by default, it should be enabled with the --with-http_auth_request_module
configuration parameter.
Run this command and verify that the output includes --with-http_auth_request_module
:
The trick here is to declare an internal location
and use auth_request
to initiate a subrequest to the resolved endpoint.
Example configuration
See docs for auth_request
in NGINX for more details. http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
Optimizing the performance
If the reverse proxy, Authgear, and your backend server are in different regions, authenticating every request could result in a huge downgrade in the performance.
You may consider enabling caching.
Reference on the headers
See the list of x-authgear-
headers in the specs: https://github.com/authgear/authgear-server/blob/master/docs/specs/api-resolver.md
Last updated