-
Notifications
You must be signed in to change notification settings - Fork 94
/
openid_connect.server_conf
103 lines (88 loc) · 4.15 KB
/
openid_connect.server_conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# Advanced configuration START
set $internal_error_message "NGINX / OpenID Connect login failure\n";
set $pkce_id "";
resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
subrequest_output_buffer_size 32k; # To fit a complete tokenset response
gunzip on; # Decompress IdP responses if necessary
# Advanced configuration END
location = /_jwks_uri {
internal;
proxy_cache jwk; # Cache the JWK Set received from IdP
proxy_cache_valid 200 12h; # How long to consider keys "fresh"
proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
proxy_ssl_server_name on; # For SNI to the IdP
proxy_method GET; # In case client request was non-GET
proxy_set_header Content-Length ""; # ''
proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here
proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching
}
location @do_oidc_flow {
status_zone "OIDC start";
js_content oidc.auth;
default_type text/plain; # In case we throw an error
}
set $redir_location "/_codexch";
location = /_codexch {
# This location is called by the IdP after successful authentication
status_zone "OIDC code exchange";
js_content oidc.codeExchange;
error_page 500 502 504 @oidc_error;
}
location = /_token {
# This location is called by oidcCodeExchange(). We use the proxy_ directives
# to construct the OpenID Connect token request, as per:
# http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
internal;
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
}
location = /_refresh {
# This location is called by oidcAuth() when performing a token refresh. We
# use the proxy_ directives to construct the OpenID Connect token request, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
internal;
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
}
location = /_id_token_validation {
# This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use
# the auth_jwt_module to validate the OpenID Connect token response, as per:
# https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
internal;
auth_jwt "" token=$arg_token;
js_content oidc.validateIdToken;
error_page 500 502 504 @oidc_error;
}
location = /logout {
status_zone "OIDC logout";
add_header Set-Cookie "auth_token=; $oidc_cookie_flags";
add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags";
add_header Set-Cookie "auth_redir=; $oidc_cookie_flags";
js_content oidc.logout;
}
location = /_logout {
# This location is the default value of $oidc_logout_redirect (in case it wasn't configured)
default_type text/plain;
return 200 "Logged out\n";
}
location @oidc_error {
# This location is called when oidcAuth() or oidcCodeExchange() returns an error
status_zone "OIDC error";
default_type text/plain;
return 500 $internal_error_message;
}
location /api/ {
api write=on;
allow 127.0.0.1; # Only the NGINX host may call the NGINX Plus API
deny all;
access_log off;
}
# vim: syntax=nginx