Enforce Google Authentication for Any Application with nginx and Lasso

By configuring your nginx webserver to use the auth_request module and Lasso you can protect any website with Google Authentication.

Lasso, written in Go, performs a one time authentication against Google (or any other OAuth provider) and then for the next four hours (or more or less if you like) validates requests in less than 1ms using a JSON Web Token (JWT).

This is the first in a series of posts showing how to setup nginx and Lasso with a variety of OAuth providers.

centralize authentication for all of your in-house web applications

Lets say you help to administer a network for an organization that uses GSuite by Google for GMail, Drive, Docs, Groups, Calendar, etc. As team members join or leave the organization you add and remove access to the organization’s Google account. At the same time you provide access to other web based tools your group uses hosted privately on your own servers.

With Nginx’s auth_request module and Lasso, you can enforce OAuth login to GSuite. As your team members change, you can add and remove accounts via Google and be assured that proper access rights are being maintained without having to touch every application you’re running and manage access on each application individually. No Puppet, no Chef, no Ansible, no re-deployments, no running around trying to be sure you got them all.

Nginx and Lasso to the Rescue!

For every request received for private.yourcorp.com nginx first forwards the request to Lasso via the auth_request module. Lasso reviews the request headers and responds to nginx with 200 OK for authorized requests or with 401 Not Authorized . Authorization takes less than 1ms.

If the request is authorized it will be forwarded through to private.yourcorp.com

If the request is not authorized then nginx 302 redirect the end user’s browser first to Lasso, which immediately 302 redirect the end user on to Google’s OAuth Login screen…

After successful login, Google returns the user back to Lasso. Lasso sets the JWT into a cookie and 302 redirect back to private.yourcorp.com.

While the end user interacts with Lasso twice, its unlikely that they will even notice that Lasso was involved.

4 Easy Steps to Install Lasso and Configure Nginx

Should take less than 20 Minutes

Step 1: install Lasso

go get github.com/LassoProject/lasso
cd ~/go/src/github.com/LassoProject/lasso
go build
cp config/config.yml_example_google config/config.yml

Lasso can also be run as a Docker container

Step 2: create a Google OAuth App and configure Lasso

use Google’s developer console to generate the client_id and the client_secret and to set your callback_urls . Add these to config/config.yml

Also add your top level domains and/or private domains to the lasso.domains configuration option

more options available in the full lasso config

Add the following to the nginx server {} block for each webapp you’d like to secure..

adding lasso to the nginx config is straight forward

Step 4: run Lasso!


And that’s it! It really should be that easy.

But if it’s not, please do reach out to us on github or on the freenode irc channel #lasso. We‘re happy to help you get Lasso up and running.

If you find Lasso to be of use to you, please do us the kind favor of letting one other devops professional know about Lasso.

Benjamin Foote is a Systems Engineer and devops pro from Portland Oregon. During his 20 year career Ben has worked with Fortune 500 Corporations, startups and everything in between. Ben has thruhiked the Pacific Crest Trail (2000) and 90% of the Continent Divide Trail (2013). Ben serves as the Board President of Umbrella, a 501c(3) and Oregon non profit organization which sponsors many wonderful projects throughout Portland. When he’s not riding his bicycle to another meeting he can be found tending to his garden.