forked from nginx-openid-connect/nginx-oidc-core-v1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenid_connect.server_conf
152 lines (130 loc) · 6.35 KB
/
openid_connect.server_conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Advanced configuration START
set $internal_error_message "NGINX / OpenID Connect login failure\n";
set $pkce_id "";
resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
subrequest_output_buffer_size 32k; # To fit a complete tokenset response
gunzip on; # Decompress IdP responses if necessary
# Advanced configuration END
location = /_jwks_uri {
internal;
proxy_cache jwk; # Cache the JWK Set recieved from IdP
proxy_cache_valid 200 12h; # How long to consider keys "fresh"
proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
proxy_ssl_server_name on; # For SNI to the IdP
proxy_method GET; # In case client request was non-GET
proxy_set_header Content-Length ""; # ''
proxy_set_header Accept-Encoding "gzip"; # Required for Auth0
proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here
proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching
}
location @do_oidc_flow {
status_zone "OIDC start";
js_content oidc.auth;
default_type text/plain; # In case we throw an error
}
set $redir_location "/_codexch";
location = /_codexch {
# This location is called by the IdP after successful authentication
status_zone "OIDC code exchange";
js_content oidc.codeExchange;
error_page 500 502 504 @oidc_error;
}
location = /_token {
# This location is called by oidcCodeExchange(). We use the proxy_ directives
# to construct the OpenID Connect token request, as per:
# http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
internal;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding "gzip"; # Required for Auth0
proxy_set_body "grant_type=authorization_code&client_id=$oidc_client&$args&redirect_uri=$redirect_base$redir_location";
proxy_method POST;
proxy_pass $oidc_token_endpoint;
}
location = /_refresh {
# This location is called by oidcAuth() when performing a token refresh. We
# use the proxy_ directives to construct the OpenID Connect token request, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
internal;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding "gzip"; # Required for Auth0
proxy_set_body "grant_type=refresh_token&refresh_token=$arg_token&client_id=$oidc_client&client_secret=$oidc_client_secret";
proxy_method POST;
proxy_pass $oidc_token_endpoint;
}
location = /_id_token_validation {
# This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use
# the auth_jwt_module to validate the OpenID Connect token response, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
internal;
auth_jwt "" token=$arg_token;
js_content oidc.validateIdToken;
error_page 500 502 504 @oidc_error;
}
location = /userinfo {
auth_jwt "" token=$session_jwt;
auth_jwt_key_request /_jwks_uri; # Enable when using URL
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Authorization "Bearer $access_token";
proxy_pass $oidc_userinfo_endpoint;
access_log /var/log/nginx/access.log oidc_jwt;
}
location = /login {
# This location is called by UI for logging-in IDP using OpenID Connect.
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# Redirect to the the original URI of UI after successful login to IDP.
js_content oidc.redirectPostLogin;
access_log /var/log/nginx/access.log oidc_jwt;
}
#location = /logout {
# status_zone "OIDC logout";
# add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie
# add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie
# js_content oidc.logout;
#}
location = /logout {
# This location is called by UI to handle OIDC logout with IDP as per:
# https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
status_zone "OIDC logout";
js_content oidc.logout;
}
location = /_logout {
# This location is a default value of $oidc_logout_redirect called by the
# IDP after closing user ssion in the IDP.
# Clean cookies
add_header Set-Cookie "session_id=; $oidc_cookie_flags"; # Send empty cookie
add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie
add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags";
add_header Set-Cookie "client_id=; $oidc_cookie_flags";
# The following examples can be replaced with a custom logout page, or
# complete URL.
# Example 1: Redirect to the original page via $post_logout_return_uri.
js_content oidc.redirectPostLogout;
# Example 2: Built-in, simple logout page
# default_type text/plain;
# return 200 "Logged out\n";
# Example 3: Custom logout page
# proxy_pass http://my_frontend_site/logout;
}
#location = /_logout {
# # This location is the default value of $oidc_logout_redirect (in case it wasn't configured)
# default_type text/plain;
# return 200 "Logged out\n";
#}
location @oidc_error {
# This location is called when oidcAuth() or oidcCodeExchange() returns an error
status_zone "OIDC error";
default_type text/plain;
return 500 $internal_error_message;
}
location /api/ {
api write=on;
allow 127.0.0.1; # Only the NGINX host may call the NGINX Plus API
deny all;
access_log off;
}
# vim: syntax=nginx