oidc_frontend_backend.conf

# -----------------------------------------------------------------------------#
#                                                                              #
#               Sample Configuration: Frontend Site, Backend App               #
#                       (for Open ID Connect workflow)                         #
#                                                                              #
# -----------------------------------------------------------------------------#

# Custom log format to include the 'sub' claim in the REMOTE_USER field.
#
log_format oidc_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
                    '"$http_x_forwarded_for"';

# Sample upstream server for the frontend site.
#
upstream my_frontend_site {
    zone my_frontend_site 64k;
    server 127.0.0.1:9091;
}

# Sample upstream server for the backend app.
#
upstream my_backend_app {
    zone my_backend_app 64k;
    server 127.0.0.1:9092;
}

# Sample frontend/api server - proxy with OIDC workflow.
#
server {
    # Enable when debugging is needed
    error_log  /var/log/nginx/error.log  debug; # Reduce severity level as required
    access_log /var/log/nginx/access.log main;

    listen 13000 ssl;
    server_name nginx.cognito.test;

    # Replace the following files with your certificate here
    ssl_certificate     /etc/ssl/nginx/nginx-repo.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;

    # OIDC workflow
    include conf.d/oidc_nginx_server.conf;  

    # Frontend Example:
    #  - Default landing page: no need OIDC workflow to show 'login' button.
    #  - The site can be protected with OIDC after calling /login endpoint.
    #
    location / {
        proxy_pass http://my_frontend_site;
        access_log /var/log/nginx/access.log oidc_jwt;
    }

    # Backend App Example:
    #  - This is protected by session management not to be accessed by other
    #    user-agent, client IP and ID when $session_validation_enable is true.
    #  - It can be additionally protected by using token(s) that is(are) received
    #    by IDP after successful login from the frontend based on OIDC workflow.
    #
    location /v1/api/example {
        auth_jwt "" token=$access_token;
        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri;      # Enable when using URL

        auth_request    /_session_validation;
        auth_request_set $session_status $upstream_status;
        error_page 403 = @session_error;

        proxy_set_header Authorization "Bearer $access_token";
        # proxy_set_header x-id-token  "$id_token"; # Enable when needed

        proxy_pass http://my_backend_app;
        access_log /var/log/nginx/access.log oidc_jwt;
    }
}

# vim: syntax=nginx