-
Notifications
You must be signed in to change notification settings - Fork 2
/
oidc_nginx_server.conf
182 lines (157 loc) · 8.26 KB
/
oidc_nginx_server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# -----------------------------------------------------------------------------#
# #
# NGINX Configuration for OpenID Connect #
# (within server block) | #
# | #
# server { | #
# : | #
# +------------------------------------+ | #
# | include "oidc_nginx_server.conf"; | <--+ #
# +------------------------------------+ #
# : #
# } #
# ---------------------------------------------------------------------------- #
# Advanced configuration START
set $internal_error_message "NGINX / OIDC login failure\n";
set $pkce_id "";
set $session_id "";
gunzip on; # Decompress IdP responses if necessary
subrequest_output_buffer_size 32k; # To fit a complete tokenset response
resolver 8.8.8.8; # For DNS lookup of IDP endpoint
# 127.0.0.11; # For local Docker DNS lookup
resolver_timeout 10s;
# Advanced configuration END
location = /_jwks_uri {
internal;
proxy_cache jwk; # Cache the JWK Set recieved from IdP
proxy_cache_valid 200 12h; # How long to consider keys "fresh"
proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
proxy_ssl_server_name on; # For SNI to the IdP
proxy_method GET; # In case client request was non-GET
proxy_set_header Content-Length ""; #
proxy_set_header Accept-Encoding $token_encoder;
proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here
proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching
}
location @do_oidc_flow {
status_zone "OIDC start";
js_content oidc.auth;
default_type text/plain; # In case we throw an error
}
set $redir_location "/_codexch";
location = /_codexch {
# This location is called by the IdP after successful authentication.
status_zone "OIDC code exchange";
js_content oidc.codeExchange;
error_page 500 502 504 @oidc_error;
}
location = /_token {
# This location is called by oidc.codeExchange(). We use the proxy_
# directives to construct the OIDC token request, as per:
# http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
internal;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding $token_encoder;
proxy_set_body "grant_type=authorization_code&client_id=$oidc_client&$args&redirect_uri=$redirect_base$redir_location";
proxy_method POST;
proxy_pass $oidc_token_endpoint$token_query_params;
}
location = /_refresh {
# This location is called by oidc.auth() when performing a token refresh.
# We use the proxy_ directives to construct the OIDC token request, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
internal;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding $token_encoder;
proxy_set_body "grant_type=refresh_token&refresh_token=$arg_token&client_id=$oidc_client&client_secret=$oidc_client_secret";
proxy_method POST;
proxy_pass $oidc_token_endpoint$token_query_params;
}
location = /_id_token_validation {
# This location is called by oidc.codeExchange() and oidc.refershToken().
# We use the auth_jwt module to validate the OIDC token response, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
internal;
auth_jwt "" token=$arg_token;
js_content oidc.validateIdToken;
error_page 500 502 504 @oidc_error;
}
location = /_access_token_validation {
# This location is called by oidcCodeExchange() and oidcRefreshRequest().
# We use the auth_jwt module to validate the OIDC token response, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
internal;
auth_jwt "" token=$arg_token;
js_content oidc.validateAccessToken;
error_page 500 502 504 @oidc_error;
}
location = /_session_validation {
# This location is called by any endpoint to check if a session is valid.
internal;
status_zone "session validation";
js_content oidc.validateSession;
}
location = /userinfo {
# This location is called by frontend to retrieve user info via the IDP.
auth_request /_session_validation;
auth_request_set $session_status $upstream_status;
error_page 403 = @session_error;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Authorization "Bearer $access_token";
proxy_pass $oidc_userinfo_endpoint;
access_log /var/log/nginx/access.log oidc_jwt;
}
location = /login {
# This location is called by UI for logging-in IDP using OpenID Connect.
auth_jwt "" token=$id_token;
error_page 401 = @do_oidc_flow;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# Redirect to the the original URI of UI after successful login to IDP.
js_content oidc.redirectPostLogin;
access_log /var/log/nginx/access.log oidc_jwt;
}
location = /logout {
# This location is called by UI to handle OIDC logout with IDP as per:
# https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
status_zone "OIDC logout";
js_content oidc.logout;
}
location = /_logout {
# This location is a default value of $oidc_logout_redirect called by the
# IDP after closing user ssion in the IDP.
# Clean cookies
add_header Set-Cookie "session_id=; $oidc_cookie_flags"; # Send empty cookie
add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie
add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags";
add_header Set-Cookie "client_id=; $oidc_cookie_flags";
# Redirect to either the original page or custom logout page.
js_content oidc.redirectPostLogout;
}
location @oidc_error {
# This location is called when oidc.auth() or oidc.codeExchange() returns an error.
status_zone "OIDC error";
default_type text/plain;
return 500 $internal_error_message;
}
location @session_error {
status_zone "OIDC error: session";
default_type application/json;
# Clean cookies
add_header Set-Cookie "session_id=; $oidc_cookie_flags"; # Send empty cookie
add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie
add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags";
add_header Set-Cookie "client_id=; $oidc_cookie_flags";
set $session_status '{ "message" : "invalid session" }';
return 403 $session_status;
}
location /api/ {
api write=on;
# Uncomment to further restrict write permissions; see note above
# allow 127.0.0.1; # Only the NGINX host may call the NIGNX Plus API
# deny all;
# access_log off;
}
# vim: syntax=nginx