-
Notifications
You must be signed in to change notification settings - Fork 2
/
oidc_nginx_http.conf
128 lines (109 loc) · 6.56 KB
/
oidc_nginx_http.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# -----------------------------------------------------------------------------#
# #
# NGINX Configuration for OpenID Connect #
# (within http block) | #
# | #
# http { | #
# : | #
# +-----------------------------------+ | #
# | include "oidc_nginx_http.conf"; | <--+ #
# +-----------------------------------+ #
# : #
# server { #
# : #
# } #
# : #
# } #
# #
# - This file is to configure NGINX related info to handle OIDC workflow. #
# - Each map block allows multi values so that multiple IdPs can be supported. #
# - The $host variable is used as default input parameter but can be changed. #
# #
# ---------------------------------------------------------------------------- #
variables_hash_max_size 4096;
map $proto $oidc_cookie_flags {
http "Path=/; SameSite=lax;"; # For HTTP/plaintext test
https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}
map $http_x_forwarded_port $redirect_base {
"" $proto://$host:$server_port;
default $proto://$host:$http_x_forwarded_port;
}
map $http_x_forwarded_proto $proto {
"" $scheme;
default $http_x_forwarded_proto;
}
map $x_client_id $post_logout_return_uri {
# The following examples can be replaced with a custom logout page, or
# complete URL to be redirected after successful logout from the IdP.
# Example 1: Redirect to the original page.
default $redirect_base;
# Example 2: Redirect to a custom logout page
# default https://www.google.com;
}
map $x_client_id $return_token_to_client_on_login {
# This is to return token as a query param to the app after successful login.
# +------------+-----------------------------------------------------------+
# | options | example |
# +------------+-----------------------------------------------------------+
# | id_token | http://my-nginx.example.com/login?id_token=sdfsdfdsfs |
# | none or "" | http://my-nginx.example.com (no query param) |
# +------------+-----------------------------------------------------------+
default "";
}
map $x_client_id $session_validation_enable {
default 1; # 0: disable when testing APIs w/ session cookie on any client
}
map $x_client_id $session_id_time_enable {
default 0; # 1: timestamp(hh:mm) is included in session ID
}
map $x_client_id $client_id_validation_enable {
default 1; # 1: check if `client_id` is included in cookie when login
}
map $cookie_client_id $x_client_id {
default $cookie_client_id;
}
map $x_client_id $access_token_validation_enable {
#
# Auth0:
# - An access token is meant for an API and should be validated only by the
# API for which it was intended. If you receive an access token from an
# IdP, in general, you don't need to validate it. You can pass it to the
# issuing IdP and the IdP takes care of the rest.
# - audience needs to be added in query param for authZ endpoint request if
# you want to have claims in the access token.
# https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens
#
# Okta: TODO when this is enabled.
# - option-1) local validation: minimum claims are validated as for now.
# - option-2) validate a token directly with Okta (introspection)
# https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/
#
default 0;
}
# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in oidc_nginx_server.conf
# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
# Key/Value store for ID token, access token and refresh token.
# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M state=/var/lib/nginx/state/oidc_id_tokens.json timeout=1h;
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
keyval_zone zone=oidc_refresh_tokens:1M state=/var/lib/nginx/state/oidc_refresh_tokens.json timeout=8h;
# Temporary storages.
keyval_zone zone=oidc_pkce:128K timeout=90s; # for PKCE code verifier
keyval_zone zone=oidc_nonce_hash:128K timeout=90s; # for NONCE
keyval_zone zone=oidc_token_query_params:128K timeout=90s; # for query params of token endpoint
keyval $cookie_session_id $id_token zone=oidc_id_tokens; # Exchange cookie for ID token
keyval $cookie_session_id $access_token zone=oidc_access_tokens; # Exchange cookie for access token
keyval $cookie_session_id $refresh_token zone=oidc_refresh_tokens; # Exchange cookie for refresh token
keyval $session_id $new_id_token zone=oidc_id_tokens; # For initial session creation for ID token
keyval $session_id $new_access_token zone=oidc_access_tokens; # For initial session creation for access token
keyval $session_id $new_refresh zone=oidc_refresh_tokens; # For initial session creation for refresh token
keyval $session_id $nonce_hash zone=oidc_nonce_hash; # For NONCE
keyval $session_id $token_query_params zone=oidc_token_query_params; # for query params of token endpoint
keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
js_import oidc from conf.d/oidc.js;
js_set $token_encoder oidc.tokenEncoder;
# vim: syntax=nginx