Thanks for your input. I think I found a solution that will work, so I replied to my original question with the config.by bmacphee - Nginx Mailing List - English
I had some success doing the intercept at the next level above the auth proxy location like this: (using grpc_intercept_errors) server { listen 443 ssl http2; include grpc_servers.conf; # send all requests to the `/validate` endpoint for authorization auth_request /validate; grpc_intercept_errors on; error_page 401 @grpc_auth_fail; location = /by bmacphee - Nginx Mailing List - English
Yes, I was trying various combinations of the following, with no success. location @grpc_auth_fail { add_trailer grpc-status 16 always; add_header grpc-status 16 always; add_trailer grpc-message Unauthorized always; add_header grpc-message Unauthorized always; return 401; #return 200; } The choice of 16 for the status was based on this documby bmacphee - Nginx Mailing List - English
I appreciate the suggestion but it doesn't look like this is possible to solve with these modules. The authentication part happens as a sub-request, and the response provided by sub request influences how the gRPC part is handled at the top level. Unless I can figure out some way to pass variables from the sub request and handle things differently... I don't know. If I return 200, the requestby bmacphee - Nginx Mailing List - English
I have an nginx configuration that passes gRPC API requests to other services an authorization endpoint that is used in conjunction. This works great when authorization is successful (my HTTP1 authorization endpoint returns HTTP 2xx status codes). When authorization fails (it returns 401), the gRPC connection initiated by the client receives a gRPC Cancelled(1) status code, rather than whatby bmacphee - Nginx Mailing List - English
I was about to ask a related question. Here is a sample of my config. The only issue is that the gRPC client gets a StatusCode.Cancelled when authorization fails. In this scenario, the auth service at http://auth:5000 is a simple flask application performing the auth with a 3rd party identity provider. You may not need all the variables I am pushing around here, but hopefully this gives youby bmacphee - Nginx Mailing List - English