Articles Getting Started How-tos Guides Code Examples Documentation Videos Webinars Courses Training Documents

OpenResty OAuth Proxy Plugin

tutorials

5 min

On this page

The OAuth Proxy is an extension to your API gateway that you need when your single page applications (SPAs) call OAuth-secured APIs using the Token Handler pattern. The SPA sends an encrypted proxy cookie that transports an access token. The OAuth Proxy plugin decrypts the cookie to extract the access token.

When the OAuth Proxy work completes, your OpenResty API gateway routes the request to the target API, which uses the access token to implement its OAuth security.

Download the OAuth Proxy

You get the OAuth Proxy by downloading the latest ZIP file version from the Curity Developer Portal, with a filename of the following form. This zip file contains a Lua plugin that you deploy to your gateway and a README file with detailed instructions.

text

curity-token-handler-proxy-openresty-<version>.zip

Deploy the OAuth Proxy

You must deploy the OAuth Proxy to a gateway that runs in your SPA's backend for frontend domain. If a deployment uses the following URLs, the OAuth Proxy executes in a gateway at https://bff.product.example:

SPA Web Origin: https://www.product.example
Backend for Frontend Base URL: https://bff.product.example
Target API Base URL: https://api.example.com

To deploy the OAuth Proxy and its dependencies, use the luarocks file provided. One way to deploy the files is to create a custom Docker image:

dockerfile

123456

FROM openresty/openresty:jammy

COPY plugin/* \
    /tmp/oauth-proxy/
RUN cd /tmp/oauth-proxy && luarocks make oauth-proxy-*.rockspec \
    && cd / && rm -r /tmp/oauth-proxy

The luarocks command deploys Lua files to the Lua plugins location, which is a path similar to the following:

text

/usr/local/openresty/luajit/share/lua/5.1

When you deploy the OpenResty gateway you typically also provide API routes that reference the plugins. For an example, study the following Docker Compose file, where routes are supplied in a default.conf file:

yaml

123456789

services:
  api-gateway:
    image: custom_openresty:1.0.0
    hostname: apigateway-internal
    ports:
      - 80:3001
    volumes:
      - ./apigateway/openresty/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
      - ./apigateway/openresty/default.conf:/etc/nginx/conf.d/default.conf

Prepare Decryption

You need an asymmetric keypair as part of your overall token handler deployment. To create one, follow the instructions in the Configure Cryptographic Keys section of the Create a Token Handler tutorial. This results in a PKCS#8 file with an encrypted private key, and also a private key password.

Configure API Routes

You must configure the OAuth Proxy for all API routes that the SPA calls. Also, add a route such as /oauthuserinfo if the SPA calls the authorization server's OpenID Connect userinfo endpoint.

To configure the OAuth Proxy plugin you must provide the cookie decryption key for the OAuth Proxy, using the content of the PKCS#8 file and the PKCS#8 file's password.

nginx

123456789101112131415161718

server {
    server_name bff.product.example;
    listen      3001;

    location /api/ {

        rewrite_by_lua_block {
            
            local oauth_proxy = require 'oauth-proxy'
            oauth_proxy.run({
                cookie_key = '-----BEGIN ENCRYPTED PRIVATE KEY-----\n...',
                cookie_key_pass = 'Password1'
            })
        }

        proxy_pass http://api-internal:3001/;
    }
}

The cookie_key and cookie_key_pass values can be populated in various ways. For example, at deployment time you can use a tool such as envsubst to produce the final configuration file. Alternatively, you can reference environment variables:

nginx

12345

local oauth_proxy = require 'oauth-proxy'
oauth_proxy.run({
    cookie_key = os.getenv('TH_COOKIE_KEY'),
    cookie_key_pass = os.getenv('TH_COOKIE_KEY_PASS')
})

If you use environment variables, they must be referenced first in your main nginx.conf file:

nginx

env TH_COOKIE_KEY;
env TH_COOKIE_KEY_PASS;

Additional configuration settings are also available. For example, if the OAuth Agent uses a different prefix for cookie names than the default value th-, you should configure a cookie_prefix in the OAuth Proxy that matches the value from the OAuth Agent. You can find full information on configuration settings in the README file within your downloaded ZIP file, including some advanced options for caching.

Configure CORS

When you use a cross origin deployment you must also configure Cross-Origin Resource Sharing (CORS) to instruct the browser to only allow the SPA's precise web origin to send cookies. You can configure a CORS solution of your choice. The OAuth Proxy plugin includes a small example CORS implementation that you can configure:

nginx

12345678910111213141516171819202122232425

server {
    server_name bff.product.example;
    listen      3001;

    location /api/ {

        rewrite_by_lua_block {
            
            local cors = require 'cors'
            cors.run({
                origins = {'http://www.product.example'},
                credentials = true,
                max_age = 86400
            })
            
            local oauth_proxy = require 'oauth-proxy'
            oauth_proxy.run({
                cookie_key = '-----BEGIN ENCRYPTED PRIVATE KEY-----\n...',
                cookie_key_pass = 'Password1'
            })
        }

        proxy_pass http://api-internal:3001/;
    }
}

OAuth Proxy Output

At runtime, the OAuth Proxy processes cookies in incoming requests from SPAs. On success it rewrites the HTTP request, setting the access token in the HTTP authorization header. The target API then receives a JWT access token in the standard way and can use it for its authorization.

If the OAuth Proxy experiences an invalid cookie error, it returns an error response to the SPA with a 401 HTTP status code. For other types of error, the OAuth Proxy returns a 500 HTTP status code.

Example Deployment

You can follow the Token Handler Deployment Example to fully understand how the OAuth Proxy integrates into an SPA and API solution. The tutorial deploys an example Single Page Application that calls an example API through the OAuth Proxy. You can run the end-to-end example on a development computer with various configurations.

Conclusion

The OAuth Proxy is part of your API gateway. It enables your SPAs to use the correct browser security and also make direct calls to API URLs. The OAuth Proxy plugin deals with the cookie complexity so that you do not need to implement it in your API code.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial

Was this helpful?

Next steps

Ready to modernize IAM?

Start Today - Build security and improve ease of use to stay ahead of the competition.

Start a Free Trial

Schedule a demo

Speak to an Identity Specialist

Explore learning resources

Products

Features and Capabilities

Deployment and Management

SECURITY SOLUTIONS

INDUSTRY

Resource Library

Tutorials & Guides

Learn More

Selective Disclosure for JWTs: How to Keep Your Data Close and Your Privacy Closer

Fortify Security with Digital Identity, API Management, and Secure Access at the Breakfast Seminar in Brussels

OpenResty OAuth Proxy Plugin

Download the OAuth Proxy

Deploy the OAuth Proxy

Prepare Decryption

Configure API Routes

Configure CORS

OAuth Proxy Output

Example Deployment

Conclusion

Join our Newsletter

Start Free Trial

Ready to modernize IAM?