explore non-trivial nginx oauth settings #126
Labels
exploration
Something to explore
Comments
|
No matter how hard I tried, I couldn't make the 'elegant' solution work. I broke down and made a second ingress which works perfectly. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem
Frigate exposes a jpg image for the last-matched object using it's object detection model. It serves this via a URL like https://frigate.somedomain.com/porch/person/best.jpg. Ideally, automation will leverage this image to send a notification (e.g. using pushover via node-red via mqtt) when an object is detected.
Frigate has no built-in auth mechanism, and is (should be) protected via some auth system. In the case of this repo, this is oauth via auth0 via oath2-proxy via nginx annotations. Unfortunately, the nginx external auth applies to the entire ingress. Which means that the entire frigate endpoint is protected by oauth.
When pushing a reference to the image via a URL (like https://frigate.somedomain.com/porch/person/best.jpg), the client device will not render the image because it's walled-off via oauth.
For the purposes of this issue, we want to solve access to the image hosted directly via frigate and not some other approach like shunting the image to some other service.
Proposed solution
Inspired by this comment about keycloak and auth, I dug around any options within the existing nginx/oauth-proxy framework and came up with an idea which may work:
.jpgextension. See this exampleIf the above 'elegant' solution doesn't work, possible alternative would be to leverage multiple ingresses to achieve something similar.
Long Term
If/when I migrate to something like keycloak, this all may be easier to achieve. It could also be possible to just push the image to something like a publish S3 bucket and reference it via the bucket's URL in the push notification image reference.
The text was updated successfully, but these errors were encountered: