Support for nginx http_auth_request_module

[kewde]

Describe the solution you'd like
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
nginx can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified. If the subrequest returns a 2xx response code, the access is allowed, if it returns 401 or 403, the access is denied. Such type of authentication allows implementing various authentication schemes, such as multifactor authentication, or allows implementing LDAP or OAuth authentication.

[aeneasr]

Ok, so you'd expect a 401/403 (probably 403) on the specific endpoint that checks for the permissioning?

[pecigonzalo]

This would be amazing, in general docs on how to use oathkeeper + keto or similar as an IAP to front a web NGINX would be great

I think the error is 401, https://httpstatuses.com/401.
403 is Forbidden:

If authentication credentials were provided in the request, the server considers them insufficient to grant access.

according to https://httpstatuses.com/403

[aeneasr]

Yes, 403 indicates valid authentication credentials but insufficient access rights. This is exactly the case here - Keto does not check authentication credentials for validity.

[pecigonzalo]

This is more in scope of oathkeeper right? I felt it was worth commenting here as there was a similar ticket in this project.