-
Notifications
You must be signed in to change notification settings - Fork 0
/
oidc_frontend_backend.conf
77 lines (64 loc) · 2.8 KB
/
oidc_frontend_backend.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# -----------------------------------------------------------------------------#
# #
# Sample Configuration: Frontend Site, Backend App #
# (for Open ID Connect workflow) #
# #
# -----------------------------------------------------------------------------#
# Custom log format to include the 'sub' claim in the REMOTE_USER field.
#
log_format oidc_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for"';
# Sample upstream server for the frontend site.
#
upstream my_frontend_site {
zone my_frontend_site 64k;
server 127.0.0.1:9091;
}
# Sample upstream server for the backend app.
#
upstream my_backend_app {
zone my_backend_app 64k;
server 127.0.0.1:9092;
}
# Sample frontend/api server - proxy with OIDC workflow.
#
server {
# Enable when debugging is needed
error_log /var/log/nginx/error.log debug; # Reduce severity level as required
access_log /var/log/nginx/access.log main;
listen 13000 ssl;
server_name nginx.cognito.test;
# Replace the following files with your certificate here
ssl_certificate /etc/ssl/nginx/nginx-repo.crt;
ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;
# OIDC workflow
include conf.d/oidc_nginx_server.conf;
# Frontend Example:
# - Default landing page: no need OIDC workflow to show 'login' button.
# - The site can be protected with OIDC after calling /login endpoint.
#
location / {
proxy_pass http://my_frontend_site;
access_log /var/log/nginx/access.log oidc_jwt;
}
# Backend App Example:
# - This is protected by session management not to be accessed by other
# user-agent, client IP and ID when $session_validation_enable is true.
# - It can be additionally protected by using token(s) that is(are) received
# by IDP after successful login from the frontend based on OIDC workflow.
#
location /v1/api/example {
auth_jwt "" token=$access_token;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
auth_request /_session_validation;
auth_request_set $session_status $upstream_status;
error_page 403 = @session_error;
proxy_set_header Authorization "Bearer $access_token";
# proxy_set_header x-id-token "$id_token"; # Enable when needed
proxy_pass http://my_backend_app;
access_log /var/log/nginx/access.log oidc_jwt;
}
}
# vim: syntax=nginx