Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.
Token Recommandation
When Using
Do
Don't
ID Token
- Assume the user is authenticated
- Call an API
- Get user profile data
- Check if the client is allowed to access something.
Access Token
- Call an API
- Inspect its content on the client
- Check if the client is allowed to access something
Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.
Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.
Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.
The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.
Acceptance Criteria:
Enhance the NJS Code to capture the access_token sent by the IdP.
Store the access_token in the k/v store as same as we store id_token and refresh_token
Add /userinfo endpoint:
Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token.
Authorization : Bearer <access_token>
The response coming from IdP should be returned back to the caller as it is.
Expose /login endpoint:
Expose the /login endpoint as a location block here (openid_connect.server_conf)
Proxy it to the IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
This would outsource the login function to IdP as its configured.
Expose /v2/logout endpoint:
Expose the /v2/logout endpoint as a location block here (openid_connect.server_conf)
Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
Proxy it to the IdP's end_session_endpoint to finish the session by IdP.
Expose /v2/_logout endpoint:
Expose /v2/_logout endpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.
Redirected by IdP when IdP successfully finished the session.
NGINX Plus: Clear session cookies.
NGINX Plus: Redirect to either the original landing page or the custom logout page by calling
Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.
Compatibility:
This issue will not block the existing features as there would be no change of variables, and this is just to add features.
Exceptions:
The docs will be enhanced with a separate PR.
The demo as a quick start guide will be provided with a separate PR.
Background:
access_token
that is being sent by the IdP and only uses theid_token
to get stored in the NGINX Plus K/V store.Token Recommandation
courtesy: ID Token and Access Token: What's the Difference?
/login
and/userinfo
endpoints for client apps (SPA) to interact with./login
function as part of relying party when a user clicks on login button from the landing page./userinfo
function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps./logout
function is required to extend the sign-off function on the IdP'send_session_endpoint
. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.Acceptance Criteria:
Enhance the NJS Code to capture the
access_token
sent by the IdP.Store the
access_token
in the k/v store as same as we storeid_token
andrefresh_token
Add
/userinfo
endpoint:$oidc_userinfo_endpoint
as same as authz and token endpoints here (openid_connect_configuration.conf
) ./userinfo
endpoint here(openid_connect.server_conf
) in a location block of NGINX Plus to interact with IdP'suserinfo_endpoint
which is defined in the endpoint ofwell-known/openid-configuration
.userinfo_endpoint
by addingaccess_token
as a bearer token.Expose
/login
endpoint:/login
endpoint as a location block here (openid_connect.server_conf
)authorization_endpoint
configured in the map variable of$oidc_authz_endpoint
in (openid_connect_configuration.conf
).Expose
/v2/logout
endpoint:/v2/logout
endpoint as a location block here (openid_connect.server_conf
)$oidc_end_session_endpoint
as same as authz and token endpoints here (openid_connect_configuration.conf
) .end_session_endpoint
to finish the session by IdP.Expose
/v2/_logout
endpoint:/v2/_logout
endpoint which is a callback from IdP as a location block here (openid_connect.server_conf
) to handle the following sequences.$post_logout_return_uri
: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of$redirect_base
.Compatibility:
Exceptions: