From 108564c33b8ba58013715097025a15e1e3e19717 Mon Sep 17 00:00:00 2001
From: Shawn Kim <shawnhan.kim@gmail.com>
Date: Wed, 21 Dec 2022 19:19:25 -0800
Subject: [PATCH] feat: add login endpoint

---
 frontend.conf                     | 14 ++++++++++++++
 openid_connect.js                 | 11 ++++++++++-
 openid_connect_configuration.conf |  9 +++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/frontend.conf b/frontend.conf
index d79f10d..b1ad329 100644
--- a/frontend.conf
+++ b/frontend.conf
@@ -31,6 +31,20 @@ server {
         
         access_log /var/log/nginx/access.log main_jwt;
     }
+
+    location = /login {
+        # This location can be called by SPA to start OIDC flow via login button
+        # when a SPA's landing page need to be started without OIDC flow.
+        auth_jwt "" token=$session_jwt;
+        error_page 401 = @do_oidc_flow;
+
+        auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+        #auth_jwt_key_request /_jwks_uri;    # Enable when using URL
+
+        # Redirect to the the landing page after successful login to AS.
+        js_content oidc.redirectPostLogin;
+        access_log /var/log/nginx/access.log main_jwt;
+    }
 }
 
 # vim: syntax=nginx
diff --git a/openid_connect.js b/openid_connect.js
index e4f2084..31fca81 100644
--- a/openid_connect.js
+++ b/openid_connect.js
@@ -5,7 +5,7 @@
  */
 var newSession = false; // Used by oidcAuth() and validateIdToken()
 
-export default {auth, codeExchange, validateIdToken, logout};
+export default {auth, codeExchange, validateIdToken, logout, redirectPostLogin};
 
 function retryOriginalRequest(r) {
     delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
@@ -253,6 +253,15 @@ function validateIdToken(r) {
     }
 }
 
+// Redirect URI after successful login from the OP.
+function redirectPostLogin(r) {
+    if (r.variables.oidc_landing_page) {
+        r.return(302, r.variables.oidc_landing_page);
+    } else {
+        r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
+    }
+}
+
 function logout(r) {
     r.log("OIDC logout for " + r.variables.cookie_auth_token);
     r.variables.session_jwt = "-";
diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
index e8a9759..06eac87 100644
--- a/openid_connect_configuration.conf
+++ b/openid_connect_configuration.conf
@@ -44,6 +44,15 @@ map $host $oidc_scopes {
     default "openid+profile+email+offline_access";
 }
 
+map $host $oidc_landing_page {
+    # Where to send browser after successful login. This option is only 
+    # recommended for scenarios where a landing page shows default information
+    # without login, and the RP redirects to the landing page after successful
+    # login from the OP. If this is empty, then the RP redirects to $request_uri.
+    default "";
+    #www.example.com $redirect_base;
+}
+
 map $host $oidc_logout_redirect {
     # Where to send browser after requesting /logout location. This can be
     # replaced with a custom logout page, or complete URL.