Oauth2-proxy: Caching of auth cookie with nginx?

Created on 5 Jul 2020  路  6Comments  路  Source: oauth2-proxy/oauth2-proxy

I am trying to reduce calls to oauth2-proxy configured to authenticate against Google.
In my nginx config I added:

proxy_cache_path        /var/run/cache levels=1:2 keys_zone=authentication:10m inactive=3s;
....
location = /oauth2/auth {
        ....
        proxy_cache                   authentication;
        proxy_cache_key               $cookie__oauth2_proxy;
        proxy_cache_valid             202 401 300s;
        proxy_cache_lock              on;
        proxy_ignore_headers          Set-Cookie;
}

But this does not work. Nothing about this in the docs either.
I have cookie_name = "_oauth2_proxy" in config.

And when I refresh a page in browser for several subsequent calls (html, ajax, etc) it seems it sends a request to google to each request. I'd like to avoid that.

127.0.0.1 - [email protected] [2020/07/05 14:17:46] mydomain GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" 202 0 0.063
[2020/07/05 14:17:46] [oauthproxy.go:917] Refreshing 2h11m23.129519412s old session cookie for Session{email:[email protected] user:110730624193233073775 PreferredUsername: token:true id_token:true created:2020-07-05 12:06:22.870480588 +0300 MSK expires:2020-07-05 14:33:52 +0300 MSK refresh_token:true} (refresh after 1h0m0s)
[2020/07/05 14:17:46] [internal_util.go:68] 200 GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.xxxxxxxxxxxx_CQ3zD_Gs3JRo1axTr8SJJ_Tlkltn8FKMlNeX-iwTsQfeEl9TfZd5ARFDLF01... {
  "issued_to": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "audience": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "user_id": "110730624193233073775",
  "scope": "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid",
  "expires_in": 966,
  "email": "[email protected]",
  "verified_email": true,
  "access_type": "offline"
}

127.0.0.1 - [email protected] [2020/07/05 14:17:46] mydomain GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" 202 0 0.061
[2020/07/05 14:17:46] [oauthproxy.go:917] Refreshing 2h11m23.129519412s old session cookie for Session{email:[email protected] user:110730624193233073775 PreferredUsername: token:true id_token:true created:2020-07-05 12:06:22.870480588 +0300 MSK expires:2020-07-05 14:33:52 +0300 MSK refresh_token:true} (refresh after 1h0m0s)
[2020/07/05 14:17:46] [internal_util.go:68] 200 GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.xxxxxxxxxxxx_CQ3zD_Gs3JRo1axTr8SJJ_Tlkltn8FKMlNeX-iwTsQfeEl9TfZd5ARFDLF01... {
  "issued_to": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "audience": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "user_id": "110730624193233073775",
  "scope": "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid",
  "expires_in": 966,
  "email": "[email protected]",
  "verified_email": true,
  "access_type": "offline"
}

127.0.0.1 - [email protected] [2020/07/05 14:17:46] mydomain GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" 202 0 0.088
[2020/07/05 14:17:46] [oauthproxy.go:917] Refreshing 2h11m23.129519412s old session cookie for Session{email:[email protected] user:110730624193233073775 PreferredUsername: token:true id_token:true created:2020-07-05 12:06:22.870480588 +0300 MSK expires:2020-07-05 14:33:52 +0300 MSK refresh_token:true} (refresh after 1h0m0s)
[2020/07/05 14:17:46] [internal_util.go:68] 200 GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.xxxxxxxxxxxx_CQ3zD_Gs3JRo1axTr8SJJ_Tlkltn8FKMlNeX-iwTsQfeEl9TfZd5ARFDLF01... {
  "issued_to": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "audience": "2635746532-438658743265827643587263485.apps.googleusercontent.com",
  "user_id": "110730624193233073775",
  "scope": "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid",
  "expires_in": 966,
  "email": "[email protected]",
  "verified_email": true,
  "access_type": "offline"
}
configuration docs help wanted question

Most helpful comment

I've built the latest version and tested. It seems it works perfectly now. Thank you a lot!

All 6 comments

I know this kind of solution used to work, but we added no cache headers in #453 which are now sending headers which may break Nginxs caching, perhaps there's a way to tell nginx to ignore those headers?

Interesting, but does not seem to work..
I tried to add this:

      proxy_ignore_headers  Cache-Control Expires Set-Cookie;

Nothing changed. Maybe I miss something. Do you have tests or maybe working example with caching?

And I see many such records in the log file, but they look too fast executed to be passed to Google. Can you confirm they could be taken from proxy's cache (session/redis) though look like real requests?

[2020/07/05 15:52:59] [oauthproxy.go:917] Refreshing 3h46m36.129519412s old session cookie for Session{blablabla} (refresh after 1h0m0s)
[2020/07/05 15:52:59] [internal_util.go:68] 200 GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XXXXXX

Right now I plan to use oauth2-proxy along with nginx on the same server with relatively small load. So this is not a critical issue for me. But soon I plan to move it to a separate server and join several services to authenticate users as SSO, and I would not like to have additional internal requests on each ajax call (especially outside to Google).

I just found this in my gists which I know used to work before we added the cache headers, it looks though your config pretty much matches https://gist.github.com/JoelSpeed/9f4dbf6f79f6498d12ccd6ff0bc096e2

That does however add a response header telling if the cache was hit or not, that may be worth adding to your config to help debugging

Yes, I've found that your gist already and actually it was an example where I started with. I came asking only when I lost a hope to resolve it myself.

@ba1dr Could you check #661?

I've built the latest version and tested. It seems it works perfectly now. Thank you a lot!

Was this page helpful?
0 / 5 - 0 ratings