nginx_omniauth_adapter 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c3908b68bd6b56d6a923bca0dc36763e55645a03
+  data.tar.gz: 4aaf9ce2fdb95257094210060b44fdb9e533d163
+SHA512:
+  metadata.gz: 2b42a2d07c831778ea2b9c96e17e928cf2c5c0891edac619d89dfa74d27a14a0994469b2d8fb08e1082b3ce648659e9fbfdc7dcffe461679196621717199dc08
+  data.tar.gz: 366cf4d330531166973f61168e0ccbebf6cbcd7939e5ebc2dd91f87d15aa6cca0ecbca9b18463ce0e44b5b5e27406b6e3c034a889e2ac904dda3185fc9386de8

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.3.0
+before_install: gem install bundler -v 1.10.6

data/Dockerfile

@@ -0,0 +1,18 @@
+FROM quay.io/sorah/rbenv:2.2
+MAINTAINER sorah
+
+RUN mkdir -p /app
+
+ADD Gemfile* /tmp/
+ADD nginx_omniauth_adapter.gemspec /tmp/
+RUN mkdir -p /tmp/lib/nginx_omniauth_adapter
+ADD lib/nginx_omniauth_adapter/version.rb /tmp/lib/nginx_omniauth_adapter/version.rb
+RUN cd /tmp && bundle install -j4 --path vendor/bundle --without 'development test'
+
+WORKDIR /app
+ADD . /app
+RUN cp -a /tmp/.bundle /tmp/vendor /app/
+
+EXPOSE 8080
+ENV RACK_ENV=production
+CMD ["bundle", "exec", "rackup", "-p", "8080", "-o", "0.0.0.0", "config.ru"]

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in nginx_omniauth_adapter.gemspec
+gemspec
+
+gem 'omniauth-github'
+gem 'omniauth-google-oauth2'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Shota Fukumori (sora_h)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,131 @@
+# NginxOmniauthAdapter - Use omniauth for nginx `auth_request` 
+
+Use [omniauth](https://github.com/intridea/omniauth) for your nginx's authentication via ngx_http_auth_request_module.
+
+NginxOmniauthAdapter provides small Rack app (built with Sinatra) for `auth_request`.
+
+## Prerequisite
+
+- nginx with ngx_http_auth_request_module
+
+## Quick example
+
+```
+$ bundle install
+
+$ cd example/
+$ foreman start
+```
+
+http://ngx-auth-test.127.0.0.1.xip.io:18080/
+
+(make sure to have nginx on your PATH)
+
+## Usage
+
+### Steps
+
+1. Start adapter app with proper configuration
+2. enable `auth_request` and add some endpoints on nginx
+  - See `example/nginx-site.conf` for nginx configuration.
+
+### Running with Rubygems
+
+```ruby
+# Gemfile
+gem 'nginx_omniauth_adapter'
+```
+
+Then write `config.ru` then deploy it. (see ./config.ru for example)
+
+### Using docker
+
+TBD
+
+## Configuration
+
+environment variable is available only on included config.ru (or Docker image).
+
+- `:providers`: omniauth provider names.
+- `:secret` `$NGX_OMNIAUTH_SESSION_SECRET`: Rack session secret. Should be set when not on dev mode
+- `:host` `$NGX_OMNIAUTH_HOST`: URL of adapter. This is used for redirection. Should include protocol (e.g. `http://example.com`.)
+  - If this is not specified, adapter will perform redirect using given `Host` header.
+- `:allowed_app_callback_url` `$NGX_OMNIAUTH_ALLOWED_APP_CALLBACK_URL` (regexp): If specified, URL only matches to this are allowed for app callback url.
+- `:allowed_back_to_url` `$NGX_OMNIAUTH_ALLOWED_BACK_TO_URL` (regexp): If specified, URL only matches to this are allowed for back_to url.
+- `:app_refresh_interval` `NGX_OMNIAUTH_APP_REFRESH_INTERVAL` (integer): Interval to require refresh session cookie on app domain (in second, default 1 day).
+- `:adapter_refresh_interval` `NGX_OMNIAUTH_ADAPTER_REFRESH_INTERVAL` (integer): Interval to require re-logging in on adapter domain (in second, default 3 days).
+
+### Included config.ru (or Docker)
+
+You can set configuration via environment variables.
+
+The following variables are only available on included config.ru:
+
+- `$NGX_OMNIAUTH_SESSION_COOKIE_NAME`: session cookie name (default `ngx_oauth`)
+- `$NGX_OMNIAUTH_SESSION_COOKIE_TIMEOUT`: session cookie expiry (default 3 days)
+- `$NGX_OMNIAUTH_DEV=1` or `$RACK_ENV=development`
+  - enable dev mode (omniauth developer provider)
+- github provider
+  - `$NGX_OMNIAUTH_GITHUB_KEY`, `$NGX_OMNIAUTH_GITHUB_SECRET`: application key + secret.
+  - `$NGX_OMNIAUTH_GITHUB_HOST`: (optional) Set if you'd like to use GitHub Enterprise instance (e.g. `https://YOUR-GITHUB-ENTERPRISE`)
+  - `$NGX_OMNIAUTH_GITHUB_TEAMS`: (optional) Restrict to specified teams (e.g. `awesomeorganization/owners`)
+- google_oauth2 provider
+  - `$NGX_OMNIAUTH_GOOGLE_KEY`, `$NGX_OMNIAUTH_GOOGLE_SECRET`: oauth2 key + secret.
+  - `$NGX_OMNIAUTH_GOOGLE_HD`: (optional) Restrict to specified hosted domain (Google Apps Domain).
+
+
+
+### Manually (Rack)
+
+If you're going to write `config.ru` from scratch, make sure:
+
+- OmniAuth is included in middleware stack
+- Rack session is enabled in middleware stack
+
+Then run:
+
+``` ruby
+run NginxOmniauthAdapter.app(
+  providers: %i(developer),
+  secret: secret_base64, # optional
+  # ... (set more configuration, see above variable list)
+)
+```
+
+## How it works
+
+1. _browser_ access to restricted area (where `auth_request` has enabled)
+2. _nginx_ sends subrequest to `/_auth/challenge`. It will be proxied to _adapter app_ (`GET /test`)
+3. _adapter app_ `/test` returns 401 when _request (browser)_ doesn't have valid cookie
+4. _nginx_ handles 401 with `error_page`, so do internal redirection (`/_auth/initiate`)
+5. _nginx_ handles `/_auth/initiate`. It will be proxied to _adapter app_ `GET /initiate`.
+  - Also _nginx_ passes some information for callback to _adapter app._
+  - `x-ngx-oauth-initiate-back-to` URL to back after logged in
+  - `x-ngx-oauth-initiate-callback` URL that proxies to _adapter app_ `/callback`. This must be same domain to _backend app_ for cookie.
+6. _adapter app_ `GET /initiate` redirects to `/auth/:provider`.
+7. _Browser_ do some authenticate in _adapter app_ with Omniauth.
+8. _adapter app's_ omniauth callback sets valid session, then redirects to `/_auth/callback`, where specified at `x-ngx-oauth-initiate-callback`.
+  - _Adapter app_ gives GET parameter named `session` on redirect. It contains encrypted session.
+9. _nginx_ handles `/_auth/callback`. It will be proxied to _adapter app_ `/callback`.
+  - This decrypts given encrypted session string and set to cookie.
+  - Then redirect to `x-ngx-oauth-initiate-back-to`.
+10. _browser_ backs to URL where attempted to access first, at step 1.
+11. _nginx_ sends auth subrequest to _backend app_ `/test`.
+12. _backend app_ `/test` returns 200, because request has valid session cookie.
+13. _nginx_ returns response as usual.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/nginx_omniauth_adapter.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/config.ru

@@ -0,0 +1,106 @@
+require 'nginx_omniauth_adapter'
+require 'omniauth'
+require 'open-uri'
+require 'json'
+
+dev = ENV['NGX_OMNIAUTH_DEV'] == '1' || ENV['RACK_ENV'] == 'development'
+test = ENV['RACK_ENV'] == 'test'
+
+if test
+  dev = true
+  warn 'TEST MODE'
+  OmniAuth.config.test_mode = true
+  OmniAuth.config.mock_auth[:developer] = {provider: 'developer', uid: '42', info: {}}
+end
+
+if !dev && !ENV['NGX_OMNIAUTH_SESSION_SECRET']
+  raise 'You should specify $NGX_OMNIAUTH_SESSION_SECRET'
+end
+
+allowed_app_callback_url = if ENV['NGX_OMNIAUTH_ALLOWED_APP_CALLBACK_URL']
+                             Regexp.new(ENV['NGX_OMNIAUTH_ALLOWED_APP_CALLBACK_URL'])
+                           else
+                             nil
+                           end
+
+allowed_back_to_url      = if ENV['NGX_OMNIAUTH_ALLOWED_BACK_TO_URL']
+                             Regexp.new(ENV['NGX_OMNIAUTH_ALLOWED_BACK_TO_URL'])
+                           else
+                             nil
+                           end
+
+use(
+  Rack::Session::Cookie,
+  key:          ENV['NGX_OMNIAUTH_SESSION_COOKIE_NAME'] || 'ngx_oauth',
+  expire_after: ENV['NGX_OMNIAUTH_SESSION_COOKIE_TIMEOUT'] ? ENV['NGX_OMNIAUTH_SESSION_COOKIE_TIMEOUT'].to_i : (60 * 60 * 24 * 3),
+  secret:       ENV['NGX_OMNIAUTH_SESSION_SECRET'] || 'ngx_oauth_secret_dev',
+  old_secret:   ENV['NGX_OMNIAUTH_SESSION_SECRET_OLD'],
+)
+
+providers = []
+
+gh_teams = ENV['NGX_OMNIAUTH_GITHUB_TEAMS'] && ENV['NGX_OMNIAUTH_GITHUB_TEAMS'].split(/[, ]/)
+
+use OmniAuth::Builder do
+  if ENV['NGX_OMNIAUTH_GITHUB_KEY'] && ENV['NGX_OMNIAUTH_GITHUB_SECRET']
+    require 'omniauth-github'
+    gh_client_options = {}
+    if ENV['NGX_OMNIAUTH_GITHUB_HOST']
+      gh_client_options[:site] = "#{ENV['NGX_OMNIAUTH_GITHUB_HOST']}/api/v3"
+      gh_client_options[:authorize_url] = "#{ENV['NGX_OMNIAUTH_GITHUB_HOST']}/login/oauth/authorize"
+      gh_client_options[:token_url] = "#{ENV['NGX_OMNIAUTH_GITHUB_HOST']}/login/oauth/access_token"
+    end
+
+    gh_scope = ''
+    if ENV['NGX_OMNIAUTH_GITHUB_TEAMS']
+      gh_scope = 'read:org'
+    end
+
+    provider :github, ENV['NGX_OMNIAUTH_GITHUB_KEY'], ENV['NGX_OMNIAUTH_GITHUB_SECRET'], client_options: gh_client_options, scope: gh_scope
+    providers << :github
+  end
+
+  if ENV['NGX_OMNIAUTH_GOOGLE_KEY'] && ENV['NGX_OMNIAUTH_GOOGLE_SECRET']
+    require 'omniauth-google-oauth2'
+    provider :google_oauth2, ENV['NGX_OMNIAUTH_GOOGLE_KEY'], ENV['NGX_OMNIAUTH_GOOGLE_SECRET'], hd: ENV['NGX_OMNIAUTH_GOOGLE_HD']
+    providers << :google_oauth2
+  end
+
+  if dev
+    provider :developer
+    providers << :developer
+  end
+end
+
+run NginxOmniauthAdapter.app(
+  providers: providers,
+  secret: ENV['NGX_OMNIAUTH_SECRET'],
+  host: ENV['NGX_OMNIAUTH_HOST'],
+  allowed_app_callback_url: allowed_app_callback_url,
+  allowed_back_to_url: allowed_back_to_url,
+  app_refresh_interval: ENV['NGX_OMNIAUTH_APP_REFRESH_INTERVAL'] && ENV['NGX_OMNIAUTH_APP_REFRESH_INTERVAL'].to_i,
+  adapter_refresh_interval: ENV['NGX_OMNIAUTH_ADAPTER_REFRESH_INTERVAL'] && ENV['NGX_OMNIAUTH_APP_REFRESH_INTERVAL'].to_i,
+  policy_proc: proc {
+    if gh_teams && current_user[:provider] == 'github'
+      unless (current_user_data[:gh_teams] || []).any? { |team| gh_teams.include?(team) }
+        next false
+      end
+    end
+
+    true
+  },
+  on_login_proc: proc {
+    auth = env['omniauth.auth']
+    case auth[:provider]
+    when 'github'
+      if gh_teams
+        api_host = ENV['NGX_OMNIAUTH_GITHUB_HOST'] ? "#{ENV['NGX_OMNIAUTH_GITHUB_HOST']}/api/v3" : "https://api.github.com"
+        current_user_data[:gh_teams] = open("#{api_host}/user/teams", 'Authorization' => "token #{auth['credentials']['token']}") { |io|
+          JSON.parse(io.read).map {|_| "#{_['organization']['login']}/#{_['slug']}" }.select { |team| gh_teams.include?(team) }
+        }
+      end
+    end
+
+    true
+  },
+)

data/example/Procfile

@@ -0,0 +1,3 @@
+nginx: nginx -c `pwd`/nginx.conf
+adapter: bundle exec env RACK_ENV=development NGX_OMNIAUTH_HOST=http://ngx-auth.127.0.0.1.xip.io:18080 rackup -p 18081 -o 127.0.0.1 ../config.ru
+app: bundle exec ruby test_backend.rb -p 18082 -o 127.0.0.1

data/example/nginx-site.conf

@@ -0,0 +1,73 @@
+# vim: ft=nginx
+
+# nginx_omniauth_adapter app
+upstream auth_adapter {
+  server 127.0.0.1:18081 fail_timeout=0;
+}
+server {
+  listen 127.0.0.1:18080;
+  server_name ngx-auth.127.0.0.1.xip.io;
+
+  location / {
+    proxy_pass http://auth_adapter;
+    proxy_set_header Host $http_host;
+  }
+}
+
+# server where you want to restrict access
+upstream app {
+  server 127.0.0.1:18082 fail_timeout=0;
+}
+server {
+  listen 127.0.0.1:18080;
+  server_name ngx-auth-test.127.0.0.1.xip.io;
+
+  # Restricted area
+  location / {
+    auth_request /_auth/challenge;
+    # Trick - do internal redirection when auth_request says "need auth". 
+    error_page 401 = /_auth/initiate;
+
+    # Receive user info from adapter
+    auth_request_set $ngx_oauth_provider $upstream_http_x_ngx_oauth_provider;
+    auth_request_set $ngx_oauth_user $upstream_http_x_ngx_oauth_user;
+    auth_request_set $ngx_oauth_info $upstream_http_x_ngx_oauth_info;
+    proxy_set_header x-ngx-oauth-provider $ngx_oauth_provider;
+    proxy_set_header x-ngx-oauth-user $ngx_oauth_user;
+    proxy_set_header x-ngx-oauth-info $ngx_oauth_info;
+
+    # pass to backend application as usual as you do.
+    proxy_pass http://app;
+  }
+
+  # STEP 1, Internal endpoint: test still session is valid (adapter: GET /test)
+  location = /_auth/challenge {
+    internal;
+
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://auth_adapter/test;
+  }
+
+  # STEP 2, Internal endpoint: Initiate authentication. Will redirect to adapter for omniauth sequence. (adapter: GET /initiate)
+  location = /_auth/initiate {
+    internal;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header Host $http_host;
+    proxy_set_header x-ngx-oauth-initiate-back-to http://$http_host$request_uri;
+    proxy_set_header x-ngx-oauth-initiate-callback http://$http_host/_auth/callback;
+    proxy_pass http://auth_adapter/initiate;
+  }
+
+  # STEP 3, adapter will back here when authentication succeeded. proxy_pass to adapter to set session cookie.
+  location = /_auth/callback {
+    auth_request off;
+
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://auth_adapter/callback;
+  }
+}

data/example/nginx.conf

@@ -0,0 +1,17 @@
+# vim: ft=nginx
+worker_processes 1;
+daemon off;
+
+error_log stderr;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  default_type  application/octet-stream;
+
+  server_names_hash_bucket_size 128;
+
+  include nginx-site.conf;
+}

data/example/test_backend.rb

@@ -0,0 +1,21 @@
+require 'sinatra'
+require 'json'
+
+get '/' do
+  content_type :text
+
+  {
+    provider: request.env['HTTP_X_NGX_OAUTH_PROVIDER'],
+    user: request.env['HTTP_X_NGX_OAUTH_USER'],
+    info: JSON.parse(request.env['HTTP_X_NGX_OAUTH_INFO'].unpack('m*')[0]),
+  }.to_json
+end
+
+get '/hello' do
+  content_type :text
+  'hola'
+end
+
+get '/unauthorized' do
+  [401, {'Content-Type' => 'text/plain'}, '401 :(']
+end

data/lib/nginx_omniauth_adapter/app.rb

@@ -0,0 +1,281 @@
+require 'sinatra/base'
+require 'uri'
+require 'time'
+require 'openssl'
+require 'json'
+
+module NginxOmniauthAdapter
+  class App < Sinatra::Base
+    CONTEXT_RACK_ENV_NAME = 'nginx-oauth2-adapter'.freeze
+    SESSION_PASS_CIPHER_ALGORITHM = 'aes-256-gcm'.freeze
+
+    set :root, File.expand_path(File.join(__dir__, '..', '..', 'app'))
+
+    def self.initialize_context(config)
+      {}.tap do |ctx|
+        ctx[:config] = config
+      end
+    end
+
+    def self.rack(config={})
+      klass = self
+
+      context = initialize_context(config)
+      app = lambda { |env|
+        env[CONTEXT_RACK_ENV_NAME] = context
+        klass.call(env)
+      }
+    end
+
+    helpers do
+      def context
+        request.env[CONTEXT_RACK_ENV_NAME]
+      end
+
+      def adapter_config
+        context[:config]
+      end
+
+      def adapter_host
+        adapter_config[:host]
+      end
+
+      def providers
+        adapter_config[:providers]
+      end
+
+      def allowed_back_to_url
+        adapter_config[:allowed_back_to_url] || /./
+      end
+
+      def allowed_app_callback_url
+        adapter_config[:allowed_app_callback_url] || /./
+      end
+
+      def on_login_proc
+        adapter_config[:on_login_proc] || proc { true }
+      end
+
+      def policy_proc
+        adapter_config[:policy_proc] || proc { true }
+      end
+
+      def default_back_to
+        # TODO:
+        '/'
+      end
+
+      def sanitized_back_to_param
+        p params[:back_to]
+        if allowed_back_to_url === params[:back_to]
+          params[:back_to]
+        else
+          nil
+        end
+      end
+
+      def sanitized_app_callback_param
+        p params[:callback]
+        if allowed_app_callback_url === params[:callback]
+          params[:callback]
+        else
+          nil
+        end
+      end
+
+      def current_user
+        session[:user]
+      end
+
+      def current_user_data
+        session[:user_data] ||= {}
+      end
+
+      def current_authorized_at
+        session[:authorized_at] && Time.xmlschema(session[:authorized_at])
+      end
+
+      def current_logged_in_at
+        session[:logged_in_at] && Time.xmlschema(session[:logged_in_at])
+      end
+
+      def app_refresh_interval
+        adapter_config[:app_refresh_interval] || (60 * 60 * 24)
+      end
+
+      def adapter_refresh_interval
+        adapter_config[:adapter_refresh_interval] || (60 * 60 * 24 * 30)
+      end
+
+      def app_authorization_expired?
+        app_refresh_interval && current_user && (Time.now - current_authorized_at) > app_refresh_interval
+      end
+
+      def adapter_authorization_expired?
+        adapter_refresh_interval && current_user && (Time.now - current_logged_in_at) > adapter_refresh_interval
+      end
+
+      def update_session!(auth = nil)
+        unless session[:app_callback]
+          raise '[BUG] app_callback is missing'
+        end
+
+        common_session = {
+          logged_in_at: session[:logged_in_at],
+          user_data: current_user_data,
+        }
+
+        if auth
+          common_session[:user] = {
+            uid: auth[:uid],
+            info: auth[:info],
+            provider: auth[:provider],
+          }
+        else
+          common_session[:user] = session[:user]
+        end
+
+        adapter_session = common_session.merge(
+          side: :adapter,
+        )
+
+        app_session = common_session.merge(
+          side: :app,
+          back_to: session.delete(:back_to),
+          authorized_at: Time.now.xmlschema,
+        )
+
+        session.merge!(adapter_session)
+
+        session_param = encrypt_session_param(app_session)
+        redirect "#{session.delete(:app_callback)}?session=#{session_param}"
+      end
+
+      def secret_key
+        context[:secret_key] ||= begin
+          if adapter_config[:secret]
+            adapter_config[:secret].unpack('m*')[0]
+          else
+            cipher = OpenSSL::Cipher.new(SESSION_PASS_CIPHER_ALGORITHM)
+            warn "WARN: :secret not set; generating randomly."
+            warn "      If you'd like to persist, set `openssl rand -base64 #{cipher.key_len}` . Note that you have to keep it secret."
+
+            OpenSSL::Random.random_bytes(cipher.key_len)
+          end
+        end
+      end
+
+      def encrypt_session_param(session_param)
+        iv = nil
+        cipher ||= OpenSSL::Cipher.new(SESSION_PASS_CIPHER_ALGORITHM).tap do |c|
+          c.encrypt
+          c.key = secret_key
+          c.iv = iv = c.random_iv
+          c.auth_data = ''
+        end
+
+        plaintext = Marshal.dump(session_param)
+
+        ciphertext = cipher.update(plaintext)
+        ciphertext << cipher.final
+
+        URI.encode_www_form_component([{
+          "iv" => [iv].pack('m*'),
+          "data" => [ciphertext].pack('m*'),
+          "tag" => [cipher.auth_tag].pack('m*'),
+        }.to_json].pack('m*'))
+      end
+
+      def decrypt_session_param(raw_data)
+        data = JSON.parse(raw_data.unpack('m*')[0])
+
+        cipher ||= OpenSSL::Cipher.new(SESSION_PASS_CIPHER_ALGORITHM).tap do |c|
+          c.decrypt
+          c.key = secret_key
+          c.iv = data['iv'].unpack('m*')[0]
+          c.auth_data = ''
+          c.auth_tag = data['tag'].unpack('m*')[0]
+        end
+
+        plaintext = cipher.update(data['data'].unpack('m*')[0])
+        plaintext << cipher.final
+
+        Marshal.load(plaintext)
+      end
+
+    end
+
+    get '/' do
+      content_type :text
+      "NginxOmniauthAdapter #{NginxOmniauthAdapter::VERSION}"
+    end
+
+    get '/test' do
+      unless current_user
+        halt 401
+      end
+
+      if app_authorization_expired?
+        halt 401
+      end
+
+      unless instance_eval(&policy_proc)
+        halt 403
+      end
+
+      headers(
+        'x-ngx-oauth-provider' => current_user[:provider],
+        'x-ngx-oauth-user' => current_user[:uid],
+        'x-ngx-oauth-info' => [current_user[:info].to_json].pack('m*'),
+      )
+
+      content_type :text
+      'ok'.freeze
+    end
+
+    get '/initiate' do
+      back_to = URI.encode_www_form_component(request.env['HTTP_X_NGX_OAUTH_INITIATE_BACK_TO'])
+      callback = URI.encode_www_form_component(request.env['HTTP_X_NGX_OAUTH_INITIATE_CALLBACK'])
+
+      if back_to == '' || callback == '' || back_to.nil? || callback.nil?
+        halt 400, {'Content-Type' => 'text/plain'}, 'x-ngx-oauth-initiate-back-to and x-ngx-oauth-initiate-callback header are required'
+      end
+
+      redirect "#{adapter_host}/auth?back_to=#{back_to}&callback=#{callback}"
+    end
+
+    get '/auth' do
+      # TODO: choose provider
+      session[:back_to] = sanitized_back_to_param
+      session[:app_callback] = sanitized_app_callback_param
+      p [:auth, session]
+
+      if current_user && !adapter_authorization_expired?
+        p [:auth, :update]
+        update_session!
+      else
+        p [:auth, :redirect]
+        redirect "#{adapter_host}/auth/#{providers[0]}"
+      end
+    end
+
+    omniauth_callback = proc do
+      session[:user_data] = {}
+
+      unless instance_eval(&on_login_proc)
+        halt 403, {'Content-Type' => 'text/plain'}, 'Forbidden (on_login_proc policy)'
+      end
+
+      session[:logged_in_at] = Time.now.xmlschema
+      update_session! env['omniauth.auth']
+    end
+    get '/auth/:provider/callback', &omniauth_callback
+    post '/auth/:provider/callback', &omniauth_callback
+
+    get '/callback' do # app side
+      app_session = decrypt_session_param(params[:session])
+      session.merge!(app_session)
+      redirect session.delete(:back_to)
+    end
+  end
+end

data/lib/nginx_omniauth_adapter/version.rb

@@ -0,0 +1,3 @@
+module NginxOmniauthAdapter
+  VERSION = "0.1.0"
+end

data/lib/nginx_omniauth_adapter.rb

@@ -0,0 +1,8 @@
+require "nginx_omniauth_adapter/version"
+require "nginx_omniauth_adapter/app"
+
+module NginxOmniauthAdapter
+  def self.app(*args)
+    App.rack *args
+  end
+end

data/nginx_omniauth_adapter.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'nginx_omniauth_adapter/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "nginx_omniauth_adapter"
+  spec.version       = NginxOmniauthAdapter::VERSION
+  spec.authors       = ["Shota Fukumori (sora_h)"]
+  spec.email         = ["her@sorah.jp"]
+
+  spec.summary       = %q{oauth2 adapter for ngx_http_auth_request_module}
+  spec.homepage      = "https://github.com/sorah/nginx_omniauth_adapter"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "sinatra"
+  spec.add_dependency "omniauth"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rack-test"
+  spec.add_development_dependency "mechanize"
+end

data/script/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "nginx_omniauth_adapter"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/script/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

metadata

@@ -0,0 +1,161 @@
+--- !ruby/object:Gem::Specification
+name: nginx_omniauth_adapter
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Shota Fukumori (sora_h)
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-09-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mechanize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- her@sorah.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Dockerfile
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- config.ru
+- example/Procfile
+- example/nginx-site.conf
+- example/nginx.conf
+- example/test_backend.rb
+- lib/nginx_omniauth_adapter.rb
+- lib/nginx_omniauth_adapter/app.rb
+- lib/nginx_omniauth_adapter/version.rb
+- nginx_omniauth_adapter.gemspec
+- script/console
+- script/setup
+homepage: https://github.com/sorah/nginx_omniauth_adapter
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.0
+signing_key: 
+specification_version: 4
+summary: oauth2 adapter for ngx_http_auth_request_module
+test_files: []