-
Notifications
You must be signed in to change notification settings - Fork 0
/
openid_configuration.conf
executable file
·170 lines (134 loc) · 6.32 KB
/
openid_configuration.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# NGINX Management Suite - OpenID Connect configuration
# Created for v. 2.0
# (c) NGINX, Inc. 2021
#
# Each map block allows multiple values so that multiple IdPs can be supported,
# the $host variable is used as the default input parameter but can be changed.
#
# Adapted from: https://github.com/nginxinc/nginx-openid-connect/blob/main/openid_connect_configuration.conf
#
# NOTE: This requires NGINX Plus with the NJS module installed and enabled
# NOTE: The entries below need to be updated with values relevant to your environment and IdP
#
# www.example.com is the Fully Qualified Domain Name of this server, e.g., nms.example.com
#
# For more information about configuration and troubleshooting OIDC,
# refer to the reference repository at https://github.com/nginxinc/nginx-openid-connect
variables_hash_max_size 4096;
map $host $oidc_authz_endpoint {
SERVER_FQDN OIDC_AUTH_ENDPOINT;
# default "https://login.microsoftonline.com/{tenant_key}/oauth2/v2.0/authorize";
default "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/auth";
}
map $host $oidc_token_endpoint {
SERVER_FQDN OIDC_TOKEN_ENDPOINT;
# default "https://login.microsoftonline.com/{tenant_key}/oauth2/v2.0/token";
default "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/token";
}
map $host $oidc_jwt_keyfile {
SERVER_FQDN OIDC_KEYS_ENDPOINT;
# default "https://login.microsoftonline.com/{tenant_key}/discovery/v2.0/keys";
default "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/certs";
}
map $host $oidc_userinfo_endpoint {
SERVER_FQDN OIDC_USERINFO_ENDPOINT;
# default "https://graph.microsoft.com/oidc/userinfo";
default "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/userinfo";
}
map $host $oidc_end_session_endpoint {
SERVER_FQDN OIDC_END_SESSION_ENDPOINT;
# default "https:/login.microsoftonline.com/{tenant_key}/oauth2/v2.0/logout";
default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/logout";
}
map $host $oidc_end_session_query_params {
# Each IdP may use different query params of the $oidc_end_session_endpoint.
# For example, Amazon Cognito requires 'logout_uri', and Auth0 requires
# 'returnTo' instead of 'post_logout_redirect_uri' in the query params.
default "post_logout_redirect_uri=$redirect_base/_logout&id_token_hint=$session_jwt";
#www.example.com "client_id=$oidc_client&logout_uri=$redirect_base/_logout";
}
# map $host $cookie_auth_redir {
# default "/ui/launchpad";
# }
map $host $oidc_client {
SERVER_FQDN OIDC_CLIENT_ID;
# replace with OIDC specific setting
default "my-client-id";
}
map $host $oidc_pkce_enable {
default 0;
}
map $host $oidc_client_secret {
SERVER_FQDN OIDC_CLIENT_SECRET;
# replace with OIDC specific setting
default "my-not-very-secret-client-secret";
}
map $host $oidc_scopes {
default "openid+profile+email+offline_access";
}
map $host $oidc_client_credentials_flow_enable {
# Both of Client Credentials Flow and AuthCode Flow are supported if enable.
# Client Credentials Flow is executed if bearer token is in the API request
# and this flag is enabled. Otherwise AuthCode Flow is executed.
default 1;
}
map $host $oidc_client_credentials_token_body {
SERVER_FQDN OIDC_CLIENT_CREDENTIALS_TOKEN_BODY;
# Custom extra body in the token endpoint for Client Credentials Flow
default "scope=$oidc_client/.default";
#www.example.com "audience=https://dev-abcdefg.us.auth0.com/api/v2/";
}
map $host $oidc_landing_page {
# Where to send browser after successful login. If empty, redirects User
# Agent to $request_uri.
default "$redirect_base";
#www.example.com $redirect_base;
}
map $host $oidc_logout_landing_page {
# Where to redirect browser after successful logout from the IdP.
default $redirect_base;
#www.example.com "$redirect_base/logout_page"; # Built-in, simple logout page
}
map $host $oidc_logout_redirect {
# Where to send browser after requesting /logout location. This can be
# replaced with a custom logout page, or complete URL.
default "/ui?logout=true"; # Built-in, simple logout page
}
map $host $oidc_hmac_key {
SERVER_FQDN OIDC_HMAC_KEY;
# This should be unique for every NGINX instance/cluster
default "ChangeMe";
}
map $proto $oidc_cookie_flags {
http "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}
map $http_x_forwarded_port $redirect_base {
"" $proto://$host:$server_port;
default $proto://$host:$http_x_forwarded_port;
}
map $http_x_forwarded_proto $proto {
"" $scheme;
default $http_x_forwarded_proto;
}
# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in openid_connect.conf
# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M state=/var/run/nms/nginx_oidc_id_tokens.json timeout=1h;
keyval_zone zone=oidc_access_tokens:1M state=/var/run/nms/nginx_oidc_access_tokens.json timeout=1h;
keyval_zone zone=refresh_tokens:1M state=/var/run/nms/nginx_refresh_tokens.json timeout=8h;
keyval_zone zone=oidc_pkce:128K timeout=90s; # Temporary storage for PKCE code verifier.
keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens; # Exchange cookie for JWT
keyval $cookie_auth_token $access_token zone=oidc_access_tokens; # Exchange cookie for access token
keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation
keyval $request_id $new_access_token zone=oidc_access_tokens;
keyval $request_id $new_refresh zone=refresh_tokens; # ''
keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
auth_jwt_claim_set $jwt_claim_groups groups; # For optional claim groups
auth_jwt_claim_set $jwt_claim_sub sub; # Subject unique identifier
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
js_import oidc from /etc/nms/nginx/oidc/openid_connect.js;
# vim: syntax=nginx