SSO using external website

[mguinness]

Is there anything comparable to Authentication Based on Subrequest Result described in NGINX Docs:

To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified. If the subrequest returns a 2xx response code, the access is allowed, if it returns 401 or 403, the access is denied.

I've quickly looked at Authentication and Authorization documentation and Authentication & Authorization sample but they seem to rely on middleware rather than just configuration pointing to an external service.

Is it possible/desirable to emulate the functionality of the auth_request module in NGINX?

[Tratcher]

YARP relies completely on AspNetCore's authentication/authorization infrastructure. You can make something like this there by implementing an AuthenticationHandler, but I don't know of any exiting implementations like that.
https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Core/src/AuthenticationHandler.cs

This can also be implemented with custom middleware, it might be simpler that way.
https://microsoft.github.io/reverse-proxy/articles/middleware.html#custom-proxy-middleware

[mguinness]

Thanks, I suppose the custom middleware is the likely path to integrate external systems. Having a similar configuration based method that's used in NGINX would be advantageous for those that want to develop a solution with Express or Rails instead. I do think this would be a common use case, but for those situations maybe they would use something other than YARP anyway. Asking others to upvote and comment if they feel this would be something worth integrating into YARP or not.

[samsp-msft]

There is always a tradeoff between what you can offer via config - but commonly you'll end up creating a DSL to be able to express the details of what destination you talk to, the parameters that should be passed etc - and just writing code. We have designed YARP around the latter - we think it's more efficient, faster and provides the developer more control. The downside is how hard is it for the developer to implement the functionality they need as part of the middleware. IMHO - if it can be done in a dozen lines or less, then it's probably ok.

[mguinness]

Checking back to see if there is any functionality in YARP for forward auth as described below.

Traefik, nginx ingress and other gateways usually have feature called forward-auth. This enables them to forward request to external auth/authz service which returns 2xx in case auth/authz was successful and otherwise some higher code (usually 401/403).

The following proxies have this functionality and I wanted to know if this can be done in YARP.

• Nginx
• Traefik
• Caddy
• Envoy

[mguinness]

The recommended solution is to implement AuthenticationHandler or RemoteAuthenticationHandler (for remote SSO). Take a look at YarpWebAuthn repo for an example that uses the former to provide basic WebAuthn authentication for YARP. A middleware solution using status codes and redirects would still be useful though.