BerandaComputers and TechnologyEnforce Google Authentication for Any Application with Nginx and Vouch Proxy

Enforce Google Authentication for Any Application with Nginx and Vouch Proxy

Vouch Proxy, written in Go, performs a one time authentication against Google (or any other OAuth provider) and then for the next four hours (or more or less if you like) validates requests in less than 1ms using a JSON Web Token (JWT).

This is the first in a series of posts showing how to setup nginx and Vouch Proxy with a variety of OAuth providers.

Image for post

Image for post

centralize authentication for all of your in-house web applications

Lets say you help to administer a network for an organization that uses GSuite by Google for GMail, Drive, Docs, Groups, Calendar, etc. As team members join or leave the organization you add and remove access to the organization’s Google account. At the same time you provide access to other web based tools your group uses hosted privately on your own servers.

With Nginx’s auth_request module and Vouch Proxy, you can enforce OAuth login to GSuite. As your team members change, you can add and remove accounts via Google and be assured that proper access rights are being maintained without having to touch every application you’re running and manage access on each application individually. No Puppet, no Chef, no Ansible, no re-deployments, no running around trying to be sure you got them all.

Image for post

Image for post

For every request received for nginx first forwards the request to Lasso via the auth_request module. Lasso reviews the request headers and responds to nginx with 200 OK for authorized requests or with 401 Not Authorized . Authorization takes less than 1ms.

If the request is authorized it will be forwarded through to

If the request is not authorized then nginx 302 redirect the end user’s browser first to Vouch Proxy, which immediately 302 redirect the end user on to Google’s OAuth Login screen…

Image for post

Image for post

After successful login, Google returns the user back to Vouch Proxy. Vouch Proxy sets the JWT into a cookie and 302 redirect back to

While the end user interacts with Vouch Proxy twice, its unlikely that they will even notice that Vouch Proxy was involved.

Read More



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments