passing up headers from auth_request

Solution 1:

Ok, I was able to do that with the help of the headers_more module.

The full configuration is:

location = /jwtverify {
  internal;
  proxy_pass              http://auth-module:8080/auth/verify;
  proxy_pass_request_body off;
  proxy_set_header        Content-Length "";
  proxy_set_header        X-Original-URI $request_uri;
}

location /profile {
  auth_request /jwtverify;

  # this gets called right after auth_request returns.
  # it reads http "authorization" header from upstream (= auth_request)
  # and sets it to the variable $auth_header
  # https://stackoverflow.com/a/31485557/1759845
  auth_request_set $auth_header $upstream_http_authorization;

  # this gets called right before sending response to client.
  # it adds the previously set variable (= "authorization" 
  # header from auth_request) to the response
  more_set_headers "Authorization: $auth_header";

  proxy_pass        http://private-profile:80;
}

Solution 2:

This is how I was able to solve this without a custom module:

location /auth {
  internal;
  proxy_pass http://localhost:3000/auth;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";
  proxy_set_header X-Original-URI $request_uri;
  proxy_set_header X-Original-Remote-Addr $remote_addr;
  proxy_set_header X-Original-Host $host;
}

location /protected {
  auth_request /auth;
  auth_request_set $authentication_id $sent_http_x_authentication_id;
  proxy_pass http://localhost:3000/protected;
  proxy_set_header X-Original-URI $request_uri;
  proxy_set_header X-Original-Remote-Addr $remote_addr;
  proxy_set_header X-Original-Host $host;
  proxy_set_header X-Authentication-Id: $authentication_id;
}
  1. Have your /auth endpoint include a response header. Mine sets X-Authentication-Id
  2. Use auth_request_set to set a variable based on the response header
  3. Use the variable to set the header as part of the /protected request