feat: access token & enhance endpoints (/login, /userinfo, /logout)

[shawnhankim]

Issue Item:

• https://github.com/nginxinc/nginx-openid-connect/pull/62

Description:

1. access token

• Enhance the NJS Code to capture the access_token sent by the IdP.
• Store the access_token in the k/v store as same as we store id_token and refresh_token

2. new endpoints

• Add /userinfo endpoint:

  • Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
  • Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
  • The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token.

    Authorization : Bearer <access_token>

  • The response coming from IdP should be returned back to the caller as it is.

• Expose /login endpoint:

  • Expose the /login endpoint as a location block here (openid_connect.server_conf)
  • Proxy it to the IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
  • This would outsource the login function to IdP as its configured.

• Enhance /logout endpoint:

  • Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
  • Proxy it to the IdP's end_session_endpoint to finish the session by IdP.
  • Add a custom query params so that customers can add more parameters.

• Enhance /_logout endpoint:

  • Enhance /_logout endpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.
    • 1. Redirected by IdP when IdP successfully finished the session.
    • 2. NGINX Plus: Clear session cookies.
    • 3. NGINX Plus: Redirect to either the landing page or the custom logout page by calling

3. add endpoints in configure.sh

• IdP's userinfo endpoint
• IdP's end session endpoint

Compatibility:

• This PR does not block the existing customers as it just adds endpoints and features.

[shawnhankim]

@route443 :

• Thanks for your review in detail for the PR. It was accidentally closed. The new commit has been submitted based on your review. I would appreciate it if you could review it and give me feedback when you get a chance.
• For your convenience, you can test this repo using https://github.com/nginx-openid-connect/nginx-oidc-examples/tree/main/001-oidc-local-test

[shawnhankim]

@route443:

• For you to easily manage this repo to reduce any concerns from the enhancements based on the reviews on the PR, I have divided a big PR into small PRs as the following example.
  • https://github.com/nginxinc/nginx-openid-connect/pull/71
  • https://github.com/nginxinc/nginx-openid-connect/pull/72
  • https://github.com/nginxinc/nginx-openid-connect/pull/74
  • https://github.com/nginxinc/nginx-openid-connect/pull/76

[shawnhankim]

I am closing this PR as it is divided into the following PRs:

• https://github.com/nginxinc/nginx-openid-connect/pull/71
• https://github.com/nginxinc/nginx-openid-connect/pull/72
• https://github.com/nginxinc/nginx-openid-connect/pull/74
• https://github.com/nginxinc/nginx-openid-connect/pull/76