tippexs
commented
3 years ago Hi @b-rajesh sorry for the late response. As discussed back in July I do not have any security concerns disabling the jwt protection for the locations handling the authentication.
Did you do any testing with the suggested solution?
Hi
When i am trying to protect the server (instead of location) with OIDC RP reference implementation , login flow is not kicking off. It works fine if we have the following defined in the location block works fine as mentioned in the reference implementation error_page 401 = @do_oidc_flow; auth_jwt "authz" token=$session_jwt; auth_jwt_key_request /_jwks_uri; # Enable when using filename
Since the auth_jwt is defined in the server block , the named location is also being protected . I was directed to use auth_jwt off; in the openid_connect.server_conf
Can we fix the openid_connect.server_conf to have the same ? though the reference implementation doesn't have this challenge, it would helpful if anyone wanted to protect the whole server to with the given config.