Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.
Token Recommandation
When Using
Do
Don't
ID Token
- Assume the user is authenticated
- Call an API
- Get user profile data
- Check if the client is allowed to access something.
Access Token
- Call an API
- Inspect its content on the client
- Check if the client is allowed to access something
Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.
Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.
Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.
The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.
Acceptance Criteria:
Enhance the NJS Code to capture the access_token sent by the IdP.
Store the access_token in the k/v store as same as we store id_token and refresh_token
Add /userinfo endpoint:
Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token.
Authorization : Bearer <access_token>
The response coming from IdP should be returned back to the caller as it is.
Expose /login endpoint:
Expose the /login endpoint as a location block here (openid_connect.server_conf)
Proxy it to the IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
This would outsource the login function to IdP as its configured.
Expose /v2/logout endpoint:
Expose the /v2/logout endpoint as a location block here (openid_connect.server_conf)
Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
Proxy it to the IdP's end_session_endpoint to finish the session by IdP.
Expose /v2/_logout endpoint:
Expose /v2/_logout endpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.
Redirected by IdP when IdP successfully finished the session.
NGINX Plus: Clear session cookies.
NGINX Plus: Redirect to either the original landing page or the custom logout page by calling
Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.
Compatibility:
This issue will not block the existing features as there would be no change of variables, and this is just to add features.
Exceptions:
The docs will be enhanced with a separate PR.
The demo as a quick start guide will be provided with a separate PR.
Background:
access_tokenthat is being sent by the IdP and only uses theid_tokento get stored in the NGINX Plus K/V store.Token Recommandation
courtesy: ID Token and Access Token: What's the Difference?
/loginand/userinfoendpoints for client apps (SPA) to interact with./loginfunction as part of relying party when a user clicks on login button from the landing page./userinfofunction as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps./logoutfunction is required to extend the sign-off function on the IdP'send_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.Acceptance Criteria:
Enhance the NJS Code to capture the
access_tokensent by the IdP.Store the
access_tokenin the k/v store as same as we storeid_tokenandrefresh_tokenAdd
/userinfoendpoint:$oidc_userinfo_endpointas same as authz and token endpoints here (openid_connect_configuration.conf) ./userinfoendpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP'suserinfo_endpointwhich is defined in the endpoint ofwell-known/openid-configuration.userinfo_endpointby addingaccess_tokenas a bearer token.Expose
/loginendpoint:/loginendpoint as a location block here (openid_connect.server_conf)authorization_endpointconfigured in the map variable of$oidc_authz_endpointin (openid_connect_configuration.conf).Expose
/v2/logoutendpoint:/v2/logoutendpoint as a location block here (openid_connect.server_conf)$oidc_end_session_endpointas same as authz and token endpoints here (openid_connect_configuration.conf) .end_session_endpointto finish the session by IdP.Expose
/v2/_logoutendpoint:/v2/_logoutendpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.$post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of$redirect_base.Compatibility:
Exceptions: