Vouch Proxy, written in Go, performs a one time authentication against Google (or any other OAuth provider) and then for the next four hours (or more or less if you like) validates requests in less than 1ms using a JSON Web Token (JWT).

This is the first in a series of posts showing how to setup nginx and Vouch Proxy with a variety of OAuth providers.

centralize authentication for all of your in-house web applications

Lets say you help to administer a network for an organization that uses GSuite by Google for GMail, Drive, Docs, Groups, Calendar, etc. As team members join or leave the organization you add and remove access to the organization’s Google account. At the same time you provide access to other web based tools your group uses hosted privately on your own servers.

With Nginx’s auth_request module and Vouch Proxy, you can enforce OAuth login to GSuite. As your team members change, you can add and remove accounts via Google and be assured that proper access rights are being maintained without having to touch every application you’re running and manage access on each application individually. No Puppet, no Chef, no Ansible, no re-deployments, no running around trying to be sure you got them all.

Nginx and Vouch Proxy to the Rescue!

For every request received for private.yourcorp.com nginx first forwards the request to Lasso via the auth_request module. Lasso reviews the request headers and responds to nginx with 200 OK for authorized requests or with 401 Not Authorized . Authorization takes less than 1ms.

If the request is authorized it will be forwarded through to private.yourcorp.com

If the request is not authorized then nginx 302 redirect the end user’s browser first to Vouch Proxy, which immediately 302 redirect the end user on to Google’s OAuth Login screen…

After successful login, Google returns the user back to Vouch Proxy. Vouch Proxy sets the JWT into a cookie and 302 redirect back to private.yourcorp.com.

While the end user interacts with Vouch Proxy twice, its unlikely that they will even notice that Vouch Proxy was involved.