Alternative to LDAP?

[TiagoTT]

While we had plans to use LDAP initially, we are also looking at an alternative way to pass user data (name, email and groups) into the PHP application.
As we already use Google Oauth to authenticate users, we considered using Google Directory as an alternative to LDAP.

While trying to keep this new feature generic and not dependent on Google Oauth or Google Directory, I imagined that the webserver would be responsible to get all user data and pass it via PHP variables, just like the PHP_AUTH_USER variable is passed already. This should be compatible with any Single-Sign-On system that can get the required user data into variables.

I have a working prototype code that is not very polished yet: BrandwatchLtd@26e9e4f
In case this is an interesting feature, I can open a PR. What do you think?

[thomas-pike]

I've taken a look at the code and I like what I see; definitely worthy of a PR. I'm interested to hear how well the setup works for you.

[TiagoTT]

Ok, PR is here: #61
--- edited ---
We are using a modified version of nginx-google-oauth (still in development): https://github.com/BrandwatchLtd/nginx-google-oauth
And the following NGINX configuration to match.

server {
	server_name dns-ui.example.com;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	root /home/dnsui/dns-ui/public_html;
	index init.php;

	access_by_lua_file		/etc/nginx/lua/nginx-google-oauth/access.lua;
	lua_ssl_trusted_certificate	/etc/ssl/certs/ca-certificates.crt;
	lua_ssl_verify_depth		3;
	# Workaround to avoid IPv6 DNS responses, in case you don't have IPv6 connectivity.
	resolver			10.2.2.2 10.2.2.3 ipv6=off;
	set $ngo_client_id		xxx.apps.googleusercontent.com;
	set $ngo_client_secret		yyy;
	set $ngo_domain			example.com;
	set $ngo_http_only_cookies	true;
	set $ngo_secure_cookies		true;
	set $ngo_token_secret		"a very long randomish string";
	# Required to get the authenticated user name filled for later usage.
	set $ngo_user			true;
	set $ngo_email			true;
	set $ngo_name			true;
	set $ngo_allowed_groups		"engineering";
	set $ngo_groups			true;
	set $ngo_service_account_json_file /path/to/google-service-account.json;
	set $ngo_organization_admin_email [email protected];

	location / {
		try_files $uri $uri/ @php;
	}

	location @php {
		rewrite ^/(.*)$ /init.php/$1 last;
	}

	location /init.php {
		# Mitigate https://httpoxy.org/ vulnerabilities
		fastcgi_param HTTP_PROXY "";

		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
		include /etc/nginx/snippets/fastcgi-php.conf;

		fastcgi_param PHP_AUTH_USER   $ngo_user;
		fastcgi_param PHP_AUTH_EMAIL  $ngo_email;
		fastcgi_param PHP_AUTH_NAME   $ngo_name;
		fastcgi_param PHP_AUTH_GROUPS $ngo_groups;
	}
}

We are still trying to simplify the nginx-google-oauth code but the PHP_AUTH_* variables will remain as the way to pass user details into the PHP application.

[TiagoTT]

For reference, this is the PR opened on nginx-google-oauth to implement the retrieval of Google Directory Groups membership list of a the authenticated user.
cloudflare/nginx-google-oauth#33

[TiagoTT]

Thanks for reviewing and merging @thomas-pike , I am now closing this issue.
For reference, the suggested change was merged in aefe724 .