diff --git a/frontend.conf b/frontend.conf index d79f10d..b1ad329 100644 --- a/frontend.conf +++ b/frontend.conf @@ -31,6 +31,20 @@ server { access_log /var/log/nginx/access.log main_jwt; } + + location = /login { + # This location can be called by SPA to start OIDC flow via login button + # when a SPA's landing page need to be started without OIDC flow. + auth_jwt "" token=$session_jwt; + error_page 401 = @do_oidc_flow; + + auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename + #auth_jwt_key_request /_jwks_uri; # Enable when using URL + + # Redirect to the the landing page after successful login to AS. + js_content oidc.redirectPostLogin; + access_log /var/log/nginx/access.log main_jwt; + } } # vim: syntax=nginx diff --git a/openid_connect.js b/openid_connect.js index e4f2084..31fca81 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -5,7 +5,7 @@ */ var newSession = false; // Used by oidcAuth() and validateIdToken() -export default {auth, codeExchange, validateIdToken, logout}; +export default {auth, codeExchange, validateIdToken, logout, redirectPostLogin}; function retryOriginalRequest(r) { delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt @@ -253,6 +253,15 @@ function validateIdToken(r) { } } +// Redirect URI after successful login from the OP. +function redirectPostLogin(r) { + if (r.variables.oidc_landing_page) { + r.return(302, r.variables.oidc_landing_page); + } else { + r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir); + } +} + function logout(r) { r.log("OIDC logout for " + r.variables.cookie_auth_token); r.variables.session_jwt = "-"; diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index e8a9759..06eac87 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -44,6 +44,15 @@ map $host $oidc_scopes { default "openid+profile+email+offline_access"; } +map $host $oidc_landing_page { + # Where to send browser after successful login. This option is only + # recommended for scenarios where a landing page shows default information + # without login, and the RP redirects to the landing page after successful + # login from the OP. If this is empty, then the RP redirects to $request_uri. + default ""; + #www.example.com $redirect_base; +} + map $host $oidc_logout_redirect { # Where to send browser after requesting /logout location. This can be # replaced with a custom logout page, or complete URL.