Restrict access to iframe only using JWT or alternative options

Hello, I’m new here and have an odd scenario.

I have OpenSearch as an AWS service, and I would like to make a dashboard available outside of OpenSearch. OpenSearch allows you to embed a dashboard in iframes and even provides the HTML to do so.

I created a simple Alpine-based nginx pod in my Kubernetes and set up the proxy pass to allow access. The proxy handles the same-origin cookies and script blocks, among other things.

Currently, because the proxy is inside my Kubernetes, I’m passing the login credentials in the header from the proxy to the AWS service.

This is all essentially working; I log in to the custom front end, click the dashboard, and the iframe loads the dashboard.

The issue: Of course, anyone can take the iframe URL and view it directly.

I’m looking for advice on the best solution.

• No direct access to OpenSearch
• No direct access to the Dashboard via proxy
• Must log in through our interface.
• Ideally, not have the user log in to the dashboard separately in an iframe.

Both the web front end and the proxy are in the same domain.

Main Website Ingress DNS
web.mydomain.com
Proxy Service Ingress DNS
dashboard.mydomain.com

Thoughts:
Is there a way in Nginx to restrict access only to an iframe?

if !iframe return 404

if iframe and parent domain is web.mydomain.com return page

I know you can restrict an iframe to the same domain or a specific domain.

Content-Security-Policy: frame-ancestors 'self' https://web.mydomain.com;

This works, but does not prevent direct access.

Thoughts on using JWT
I have never tried or tested it, but I understand that you can configure Nginx with JWT.

If anyone has done this, what are your thoughts on this idea?

Has part of the backend service, generate a signed 20-minute JWT token and passes it to the proxy in the iframe parameters.

Nginx validates the JWT and passes the dashboard. The user could still break out of the iframe, but they could only do that for the 20 minutes the JWT is valid.

I am open to any suggestions or advice. I have access to all the components; the only restriction is that OpenSearch runs as an AWS service, not in a pod.

Thanks in advance.
Harry

Your idea obviously doesn’t work. For the web server, it cannot determine whether it is in an iframe. For the security of the embedded page, you must prepare an authentication mechanism for it.

Perhaps you could consider using nginx’s auth_request feature: Module ngx_http_auth_request_module, which allows sending a subrequest to a specific endpoint and deciding whether to continue allowing access based on the endpoint’s response.

If you want to support more complex authentication logic in nginx, you may need njs scripts, third-party nginx modules, or openresty lua scripts to implement it.

You can find some njs scripts that interact with JWTs in this GitHub repo GitHub - nginx/njs-examples: NGINX JavaScript examples. And, if you really want to use NGINX with native support for JWTs, you could always check out NGINX Plus.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.