Thatcher dhrp

OAuth 2.0 Token Introspection with NGINX and njs

This configuration enables NGINX to validate an authentication token against an authorization server by using OAuth 2.0 Token Introspection (RFC 7662). This solution uses the auth_request module and the NGINX JavaScript module to require authentication and perform the token introspection request.

By default, the client's authentication token is expected as a bearer token supplied in the Authorization header. If supplied elsewhere in the HTTP request, the $access_token variable must be configured to specify where to obtain the token.

Token introspection requests are authenticated. By default, the $oauth_client_id and $oauth_client_secret variables are used to perform HTTP Basic authentication with the Authorization Server. If only the $oauth_client_secret variable is specified then that value is used


	-- CREATE read-only user when the user was created via the Google Cloud API (ie terraform)
	-- GOOGLE CLOUD by default give fairly broad permissions
	-- Prior reading https://stackoverflow.com/questions/13497352/error-permission-denied-for-relation-tablename-on-postgres-while-trying-a-selec
	-- https://www.digitalocean.com/docs/databases/postgresql/how-to/modify-user-privileges/
	REVOKE ALL ON DATABASE db FROM "dev-readonly";
	-- This next line is important
	REVOKE cloudsqlsuperuser FROM "dev-readonly";
	GRANT USAGE ON SCHEMA public TO "dev-readonly";
	ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "dev-readonly";

	{
	"Description": "Template used to create the base network infrastructure for the Ethereum nodes",
	"Outputs": {
	"ALBSecurityGroup": {
	"Description": "Security group for ETH ALB",
	"Export": {
	"Name": {
	"Fn::Sub": "${AWS::StackName}-AlbSecurityGroup"
	}
	},