Hello!
I have a question about ngx_http_auth_request_module. The documentation says:
«The ngx_http_auth_request_module module (1.5.4+) implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.»
What if the subquery returned 404. I have problems with this approach:
1. In some cases, to check access to a resource in a subquery, the existence of the resource itself is required. If there is no resource, it is impossible to check access. For example, if access is open only to resources owned by the current authorized user. Or if access is open only to resources of a certain type. In such cases, the subquery can return:
1. 403 - because access could not be verified, and by default access is denied
2. 404 - since the resource does not exist, we can return the fact of the absence of a resource even to an unauthorized user.
I would like to return 404, so users will understand the error, we will not mislead users. But ngx_http_auth_request_module will return 500 to the user.
2. In rfc https://tools.ietf.org/html/rfc7231#section-6.5.3, even when the resource exists but there is no access, we can return 404 . But ngx_http_auth_request_module will return 500 to the user.
It seems to me that it would be more convenient if ngx_http_auth_request_module, when receiving 404 from subquery, would return 404 to the user. Why is this approach not used in ngx_http_auth_request_module?
Probably because 404 could mean that «/auth» doesn't exist. But I think this is controversial. «/auth" returns information not about itself, but about the resource that was passed in X-original-Uri. 401, 403 which returns "/auth" means that there is no access to the resource transferred to X-original-Uri. It does not mean there is no access to "/auth". I think 404 can also be thought of as 401.403. 404 means that the resource passed in X-original-Uri does not exist. For the case when "/auth" does not exist, additional information could be returned in the response body.
Please tell me how else i can solve the problems(№1 and №2)? What recommendations do you give for solving problems? I found this example https://stackoverflow.com/questions/48787515/nginx-auth-request-unexpected-status-404, but it seems dubious to me.
I have a question about ngx_http_auth_request_module. The documentation says:
«The ngx_http_auth_request_module module (1.5.4+) implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.»
What if the subquery returned 404. I have problems with this approach:
1. In some cases, to check access to a resource in a subquery, the existence of the resource itself is required. If there is no resource, it is impossible to check access. For example, if access is open only to resources owned by the current authorized user. Or if access is open only to resources of a certain type. In such cases, the subquery can return:
1. 403 - because access could not be verified, and by default access is denied
2. 404 - since the resource does not exist, we can return the fact of the absence of a resource even to an unauthorized user.
I would like to return 404, so users will understand the error, we will not mislead users. But ngx_http_auth_request_module will return 500 to the user.
2. In rfc https://tools.ietf.org/html/rfc7231#section-6.5.3, even when the resource exists but there is no access, we can return 404 . But ngx_http_auth_request_module will return 500 to the user.
It seems to me that it would be more convenient if ngx_http_auth_request_module, when receiving 404 from subquery, would return 404 to the user. Why is this approach not used in ngx_http_auth_request_module?
Probably because 404 could mean that «/auth» doesn't exist. But I think this is controversial. «/auth" returns information not about itself, but about the resource that was passed in X-original-Uri. 401, 403 which returns "/auth" means that there is no access to the resource transferred to X-original-Uri. It does not mean there is no access to "/auth". I think 404 can also be thought of as 401.403. 404 means that the resource passed in X-original-Uri does not exist. For the case when "/auth" does not exist, additional information could be returned in the response body.
Please tell me how else i can solve the problems(№1 and №2)? What recommendations do you give for solving problems? I found this example https://stackoverflow.com/questions/48787515/nginx-auth-request-unexpected-status-404, but it seems dubious to me.