From a769f111c0a958a2e29d54d74fbf7bd88265d575 Mon Sep 17 00:00:00 2001 From: Shawn Kim Date: Wed, 21 Dec 2022 18:00:00 -0800 Subject: [PATCH] feat: added OIDC logout endpoint --- README.md | 149 ++++++++++++++++-------------- configure.sh | 4 +- openid_connect.js | 39 +++++++- openid_connect.server_conf | 20 +++- openid_connect_configuration.conf | 51 +++++++++- 5 files changed, 185 insertions(+), 78 deletions(-) diff --git a/README.md b/README.md index 2b3b006..28d736b 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,10 @@ This repository describes how to enable OpenID Connect integration for [NGINX Pl This implementation assumes the following environment: - * The identity provider (IdP) supports OpenID Connect 1.0 - * The authorization code flow is in use - * NGINX Plus is configured as a relying party - * The IdP knows NGINX Plus as a confidential client or a public client using PKCE +- The identity provider (IdP) supports OpenID Connect 1.0 +- The authorization code flow is in use +- NGINX Plus is configured as a relying party +- The IdP knows NGINX Plus as a confidential client or a public client using PKCE With this environment, both the client and NGINX Plus communicate directly with the IdP at different stages during the initial authentication event. @@ -36,7 +36,7 @@ If a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#Refre ### Logout -Requests made to the `/logout` location invalidate both the ID token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. Note that the IdP may issue cookies such that an authenticated session still exists at the IdP. +Requests made to the `/logout` location invalidate both the ID token, access token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. By interacting with `$oidc_logout_endpoint` which is the end session endpoint of IdP, the authenticated session is ended at the IdP. ### Multiple IdPs @@ -67,6 +67,7 @@ Finally, create a clone of the GitHub repository. All files can be copied to **/etc/nginx/conf.d** ### Non-standard directories + The GitHub repository contains [`include`](http://nginx.org/en/docs/ngx_core_module.html#include) files for NGINX configuration, and JavaScript code for token exchange and initial token validation. These files are referenced with a relative path (relative to /etc/nginx). If NGINX Plus is running from a non-standard location then copy the files from the GitHub repository to `/path/to/conf/conf.d` and use the `-p` flag to start NGINX with a prefix path that specifies the location where the configuration files are located. ```shell @@ -74,6 +75,7 @@ $ nginx -p /path/to/conf -c /path/to/conf/nginx.conf ``` ### Running in containers + This implementation is suitable for running in a container provided that the [base image](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker/) includes the NGINX JavaScript module. The GitHub repository is designed to facilitate testing with a container by binding the cloned repository to a mount volume on the container. ```shell @@ -82,20 +84,23 @@ $ docker run -d -p 8010:8010 -v $PWD:/etc/nginx/conf.d nginx-plus nginx -g 'daem ``` ### Running behind another proxy or load balancer + When NGINX Plus is deployed behind another proxy, the original protocol and port number are not available. NGINX Plus needs this information to construct the URIs it passes to the IdP and for redirects. By default NGINX Plus looks for the X-Forwarded-Proto and X-Forwarded-Port request headers to construct these URIs. ## Configuring your IdP - * Create an OpenID Connect client to represent your NGINX Plus instance - * Choose the **authorization code flow** - * Set the **redirect URI** to the address of your NGINX Plus instance (including the port number), with `/_codexch` as the path, e.g. `https://my-nginx.example.com:443/_codexch` - * Ensure NGINX Plus is configured as a confidential client (with a client secret) or a public client (with PKCE S256 enabled) - * Make a note of the `client ID` and `client secret` if set +- Create an OpenID Connect client to represent your NGINX Plus instance + + - Choose the **authorization code flow** + - Set the **redirect URI** to the address of your NGINX Plus instance (including the port number), with `/_codexch` as the path, e.g. `https://my-nginx.example.com:443/_codexch` + - Ensure NGINX Plus is configured as a confidential client (with a client secret) or a public client (with PKCE S256 enabled) + - Make a note of the `client ID` and `client secret` if set - * If your IdP supports OpenID Connect Discovery (usually at the URI `/.well-known/openid-configuration`) then use the `configure.sh` script to complete configuration. In this case you can skip the next section. Otherwise: - * Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance - * Obtain the URL for the **authorization endpoint** - * Obtain the URL for the **token endpoint** +- If your IdP supports OpenID Connect Discovery (usually at the URI `/.well-known/openid-configuration`) then use the `configure.sh` script to complete configuration. In this case you can skip the next section. Otherwise: + - Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance + - Obtain the URL for the **authorization endpoint** + - Obtain the URL for the **token endpoint** + - Obtain the URL for the **logout endpoint** ## Configuring NGINX Plus @@ -103,25 +108,30 @@ Configuration can typically be completed automatically by using the `configure.s Manual configuration involves reviewing the following files so that they match your IdP(s) configuration. - * **openid_connect_configuration.conf** - this contains the primary configuration for one or more IdPs in `map{}` blocks - * Modify all of the `map…$oidc_` blocks to match your IdP configuration - * Modify the URI defined in `map…$oidc_logout_redirect` to specify an unprotected resource to be displayed after requesting the `/logout` location - * Set a unique value for `$oidc_hmac_key` to ensure nonce values are unpredictable - * If NGINX Plus is deployed behind another proxy or load balancer, modify the `map…$redirect_base` and `map…$proto` blocks to define how to obtain the original protocol and port number. +- **openid_connect_configuration.conf** - this contains the primary configuration for one or more IdPs in `map{}` blocks + + - Modify all of the `map…$oidc_` blocks to match your IdP configuration + - Modify the RP's callback URI defined in `map…$oidc_logout_redirect` to be called by OP after ending session form the IdP after requesting the `/logout` location + - Modify the URI defined in `map...$post_logout_return_uri` which is either the landing page or custom logout page to be redirected after successful logout + - Set a unique value for `$oidc_hmac_key` to ensure nonce values are unpredictable + - If NGINX Plus is deployed behind another proxy or load balancer, modify the `map…$redirect_base` and `map…$proto` blocks to define how to obtain the original protocol and port number. + +- **frontend.conf** - this is the reverse proxy configuration + + - Modify the upstream group to match your backend site or app + - Configure the preferred listen port and [enable SSL/TLS configuration](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) + - Modify the severity level of the `error_log` directive to suit the deployment environment + - Comment/uncomment the `auth_jwt_key_file` or `auth_jwt_key_request` directives based on whether `$oidc_jwt_keyfile` is a file or URI, respectively - * **frontend.conf** - this is the reverse proxy configuration - * Modify the upstream group to match your backend site or app - * Configure the preferred listen port and [enable SSL/TLS configuration](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) - * Modify the severity level of the `error_log` directive to suit the deployment environment - * Comment/uncomment the `auth_jwt_key_file` or `auth_jwt_key_request` directives based on whether `$oidc_jwt_keyfile` is a file or URI, respectively +- **openid_connect.server_conf** - this is the NGINX configuration for handling the various stages of OpenID Connect authorization code flow - * **openid_connect.server_conf** - this is the NGINX configuration for handling the various stages of OpenID Connect authorization code flow - * No changes are usually required here - * Modify the `resolver` directive to match a DNS server that is capable of resolving the IdP defined in `$oidc_token_endpoint` - * If using [`auth_jwt_key_request`](http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html#auth_jwt_key_request) to automatically fetch the JWK file from the IdP then modify the validity period and other caching options to suit your IdP + - No changes are usually required here + - Modify the `resolver` directive to match a DNS server that is capable of resolving the IdP defined in `$oidc_token_endpoint` + - If using [`auth_jwt_key_request`](http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html#auth_jwt_key_request) to automatically fetch the JWK file from the IdP then modify the validity period and other caching options to suit your IdP + - Disable a Built-in simple page, and enable `js_content oidc.redirectPostLogout()` in production in the `/_logout` location after testing IdP's logout callback. - * **openid_connect.js** - this is the JavaScript code for performing the authorization code exchange and nonce hashing - * No changes are required unless modifying the code exchange or validation process +- **openid_connect.js** - this is the JavaScript code for performing the authorization code exchange and nonce hashing + - No changes are required unless modifying the code exchange or validation process ### Configuring the Key-Value Store @@ -135,13 +145,13 @@ keyval_zone zone=oidc_pkce:128K timeout=90s; Each of the `keyval_zone` parameters are described below. - * **zone** - Specifies the name of the key-value store and how much memory to allocate for it. Each session will typically occupy 1-2KB, depending on the size of the tokens, so scale this value to exceed the number of unique users that may authenticate. +- **zone** - Specifies the name of the key-value store and how much memory to allocate for it. Each session will typically occupy 1-2KB, depending on the size of the tokens, so scale this value to exceed the number of unique users that may authenticate. - * **state** (optional) - Specifies where all of the ID Tokens in the key-value store are saved, so that sessions will persist across restart or reboot of the NGINX host. The NGINX Plus user account, typically **nginx**, must have write permission to the directory where the state file is stored. Consider creating a dedicated directory for this purpose. +- **state** (optional) - Specifies where all of the ID Tokens in the key-value store are saved, so that sessions will persist across restart or reboot of the NGINX host. The NGINX Plus user account, typically **nginx**, must have write permission to the directory where the state file is stored. Consider creating a dedicated directory for this purpose. - * **timeout** - Expired tokens are removed from the key-value store after the `timeout` value. This should be set to value slightly longer than the JWT validity period. JWT validation occurs on each request, and will fail when the expiry date (`exp` claim) has elapsed. If JWTs are issued without an `exp` claim then set `timeout` to the desired session duration. If JWTs are issued with a range of validity periods then set `timeout` to exceed the longest period. +- **timeout** - Expired tokens are removed from the key-value store after the `timeout` value. This should be set to value slightly longer than the JWT validity period. JWT validation occurs on each request, and will fail when the expiry date (`exp` claim) has elapsed. If JWTs are issued without an `exp` claim then set `timeout` to the desired session duration. If JWTs are issued with a range of validity periods then set `timeout` to exceed the longest period. - * **sync** (optional) - If deployed in a cluster, the key-value store may be synchronized across all instances in the cluster, so that all instances are able to create and validate authenticated sessions. Each instance must be configured to participate in state sharing with the [zone_sync module](http://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html) and by adding the `sync` parameter to the `keyval_zone` directives above. +- **sync** (optional) - If deployed in a cluster, the key-value store may be synchronized across all instances in the cluster, so that all instances are able to create and validate authenticated sessions. Each instance must be configured to participate in state sharing with the [zone_sync module](http://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html) and by adding the `sync` parameter to the `keyval_zone` directives above. ## Session Management @@ -171,17 +181,17 @@ $ curl -iX DELETE localhost:8010/api/6/http/keyvals/refresh_tokens The **openid_connect.server_conf** file defines several [`status_zone`](http://nginx.org/en/docs/http/ngx_http_api_module.html#status_zone) directives to collect metrics about OpenID Connect activity and errors. Separate metrics counters are recorded for: - * **OIDC start** - New sessions are counted here. See step 2 in Figure 2, above. Success is recorded as a 3xx response. +- **OIDC start** - New sessions are counted here. See step 2 in Figure 2, above. Success is recorded as a 3xx response. - * **OIDC code exchange** - Counters are incremented here when the browser returns to NGINX Plus after authentication. See steps 6-10 in Figure 2, above. Success is recorded as a 3xx response. +- **OIDC code exchange** - Counters are incremented here when the browser returns to NGINX Plus after authentication. See steps 6-10 in Figure 2, above. Success is recorded as a 3xx response. - * **OIDC logout** - Requests to the /logout URI are counted here. Success is recorded as a 3xx response. +- **OIDC logout** - Requests to the /logout URI are counted here. Success is recorded as a 3xx response. - * **OIDC error** - Counters are incremented here when errors in the code exchange process are actively detected. Typically there will be a corresponding error_log entry. +- **OIDC error** - Counters are incremented here when errors in the code exchange process are actively detected. Typically there will be a corresponding error_log entry. - To obtain the current set of metrics: +To obtain the current set of metrics: - ```shell +```shell $ curl localhost:8010/api/6/http/location_zones ``` @@ -191,33 +201,38 @@ In addition, the [NGINX Plus Dashboard](https://docs.nginx.com/nginx/admin-guide Any errors generated by the OpenID Connect flow are logged to the error log, `/var/log/nginx/error.log`. Check the contents of this file as it may include error responses received by the IdP. The level of detail recorded can be modified by adjusting the severity level of the `error_log` directive. - * **400 error from IdP** - * This is typically caused by incorrect configuration related to the client ID and client secret. - * Check the values of the `map…$oidc_client` and `map…$oidc_client_secret` variables against the IdP configuration. +- **400 error from IdP** + + - This is typically caused by incorrect configuration related to the client ID and client secret. + - Check the values of the `map…$oidc_client` and `map…$oidc_client_secret` variables against the IdP configuration. + +- **500 error from nginx after successful authentication** + - Check for `could not be resolved` and `empty JWK set while sending to client` messages in the error log. This is common when NGINX Plus cannot reach the IdP's `jwks_uri` endpoint. + - Check the `map…$oidc_jwt_keyfile` variable is correct. + - Check the `resolver` directive in **openid_connect.server_conf** is reachable from the NGINX Plus host. + - Check for `OIDC authorization code sent but token response is not JSON.` messages in the error log. This is common when NGINX Plus cannot decompress the IdP's response. Add the following configuration snippet to the `/_jwks_uri` and `/_token` locations to **openid_connect.server_conf**: - * **500 error from nginx after successful authentication** - * Check for `could not be resolved` and `empty JWK set while sending to client` messages in the error log. This is common when NGINX Plus cannot reach the IdP's `jwks_uri` endpoint. - * Check the `map…$oidc_jwt_keyfile` variable is correct. - * Check the `resolver` directive in **openid_connect.server_conf** is reachable from the NGINX Plus host. - * Check for `OIDC authorization code sent but token response is not JSON.` messages in the error log. This is common when NGINX Plus cannot decompress the IdP's response. Add the following configuration snippet to the `/_jwks_uri` and `/_token` locations to **openid_connect.server_conf**: ```nginx proxy_set_header Accept-Encoding "gzip"; ``` - * **Authentication is successful but browser shows too many redirects** - * This is typically because the JWT sent to the browser cannot be validated, resulting in 'authorization required' `401` response and starting the authentication process again. But the user is already authenticated so is redirected back to NGINX, hence the redirect loop. - * Avoid using `auth_jwt_require` directives in your configuration because this can also return a `401` which is indistinguishable from missing/expired JWT. - * Check the error log `/var/log/nginx/error.log` for JWT/JWK errors. - * Ensure that the JWK file (`map…$oidc_jwt_keyfile` variable) is correct and that the nginx user has permission to read it. +- **Authentication is successful but browser shows too many redirects** + + - This is typically because the JWT sent to the browser cannot be validated, resulting in 'authorization required' `401` response and starting the authentication process again. But the user is already authenticated so is redirected back to NGINX, hence the redirect loop. + - Avoid using `auth_jwt_require` directives in your configuration because this can also return a `401` which is indistinguishable from missing/expired JWT. + - Check the error log `/var/log/nginx/error.log` for JWT/JWK errors. + - Ensure that the JWK file (`map…$oidc_jwt_keyfile` variable) is correct and that the nginx user has permission to read it. + +- **Logged out but next request does not require authentication** + + - This is typically caused by the IdP issuing its own session cookie(s) to the client. NGINX Plus sends the request to the IdP for authentication and the IdP immediately sends back a new authorization code because the session is still valid. + - Check your IdP configuration if this behavior is not desired. - * **Logged out but next request does not require authentication** - * This is typically caused by the IdP issuing its own session cookie(s) to the client. NGINX Plus sends the request to the IdP for authentication and the IdP immediately sends back a new authorization code because the session is still valid. - * Check your IdP configuration if this behavior is not desired. +- **Failed SSL/TLS handshake to IdP** + - Indicated by error log messages including `peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream`. + - This can occur when the IdP requires Server Name Indication (SNI) information as part of the TLS handshake. Additional configuration is required to satisfy this requirement. + - Edit **openid_connect.server_conf** and for each of the `/_jwks_uri`, `/_token`, and `/_refresh` locations, add the following configuration snippet: - * **Failed SSL/TLS handshake to IdP** - * Indicated by error log messages including `peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream`. - * This can occur when the IdP requires Server Name Indication (SNI) information as part of the TLS handshake. Additional configuration is required to satisfy this requirement. - * Edit **openid_connect.server_conf** and for each of the `/_jwks_uri`, `/_token`, and `/_refresh` locations, add the following configuration snippet: ```nginx proxy_set_header Host ; proxy_ssl_name ; @@ -229,10 +244,10 @@ This reference implementation for OpenID Connect is supported for NGINX Plus sub ## Changelog - * **R15** Initial release of OpenID Connect reference implementation - * **R16** Added support for opaque session tokens using key-value store - * **R17** Configuration now supports JSON Web Key (JWK) set to be obtained by URI - * **R18** Opaque session tokens now used by default. Added support for refresh tokens. Added `/logout` location. - * **R19** Minor bug fixes - * **R22** Separate configuration file, supports multiple IdPs. Configurable scopes and cookie flags. JavaScript is imported as an indepedent module with `js_import`. Container-friendly logging. Additional metrics for OIDC activity. - * **R23** PKCE support. Added support for deployments behind another proxy or load balancer. +- **R15** Initial release of OpenID Connect reference implementation +- **R16** Added support for opaque session tokens using key-value store +- **R17** Configuration now supports JSON Web Key (JWK) set to be obtained by URI +- **R18** Opaque session tokens now used by default. Added support for refresh tokens. Added `/logout` location. +- **R19** Minor bug fixes +- **R22** Separate configuration file, supports multiple IdPs. Configurable scopes and cookie flags. JavaScript is imported as an indepedent module with `js_import`. Container-friendly logging. Additional metrics for OIDC activity. +- **R23** PKCE support. Added support for deployments behind another proxy or load balancer. diff --git a/configure.sh b/configure.sh index 17e8920..a942838 100755 --- a/configure.sh +++ b/configure.sh @@ -120,7 +120,7 @@ fi # Build an intermediate configuration file # File format is: # -jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf +jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_logout_endpoint \(.logout_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf # Create a random value for HMAC key, adding to the intermediate configuration file echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf @@ -178,7 +178,7 @@ fi # Loop through each configuration variable echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf" -for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do +for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_logout_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do # Pull the configuration value from the intermediate file VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '` echo -n "$COMMAND: NOTICE: - $OIDC_VAR ..." diff --git a/openid_connect.js b/openid_connect.js index e4f2084..d764865 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -5,7 +5,10 @@ */ var newSession = false; // Used by oidcAuth() and validateIdToken() -export default {auth, codeExchange, validateIdToken, logout}; +const EXTRA_PARAMS = 1; +const REPLACE_PARAMS = 2; + +export default {auth, codeExchange, validateIdToken, logout, redirectPostLogout}; function retryOriginalRequest(r) { delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt @@ -253,11 +256,39 @@ function validateIdToken(r) { } } +// Default RP-Initiated or Custom Logout w/ OP. +// +// - An RP requests that the OP log out the end-user by redirecting the +// end-user's User Agent to the OP's Logout endpoint. +// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout +// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout +// function logout(r) { r.log("OIDC logout for " + r.variables.cookie_auth_token); - r.variables.session_jwt = "-"; - r.variables.refresh_token = "-"; - r.return(302, r.variables.oidc_logout_redirect); + var idToken = r.variables.session_jwt; + var queryParams = '?post_logout_redirect_uri=' + + r.variables.redirect_base + + r.variables.oidc_logout_redirect + + '&id_token_hint=' + idToken; + if (r.variables.oidc_logout_query_params_option == REPLACE_PARAMS) { + queryParams = '?' + r.variables.oidc_logout_query_params; + } else if (r.variables.oidc_logout_query_params_option == EXTRA_PARAMS) { + queryParams += '&' + r.variables.oidc_logout_query_params; + } + r.variables.request_id = '-'; + r.variables.session_jwt = '-'; + r.variables.access_token = '-'; + r.variables.refresh_token = '-'; + r.return(302, r.variables.oidc_logout_endpoint + queryParams); +} + +// Redirect URI after logged-out from the OP. +function redirectPostLogout(r) { + if (r.variables.post_logout_return_uri) { + r.return(302, r.variables.post_logout_return_uri); + } else { + r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir); + } } function getAuthZArgs(r) { diff --git a/openid_connect.server_conf b/openid_connect.server_conf index 13456d2..3d392aa 100644 --- a/openid_connect.server_conf +++ b/openid_connect.server_conf @@ -67,16 +67,30 @@ } location = /logout { + # RP-Initiated Logout to interact with $oidc_end_session_endpoint as per: + # https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout status_zone "OIDC logout"; - add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie - add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie js_content oidc.logout; } location = /_logout { - # This location is the default value of $oidc_logout_redirect (in case it wasn't configured) + # This location is a RP's callback URI that is the default value of + # $oidc_logout_redirect which is called by OP after successful logout. + + # Clean cookies + add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie + add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie + add_header Set-Cookie "auth_nonce=; $oidc_cookie_flags"; + + # Enable following directives, and disable the oidc.redirectPostLogout() + # if you want to test a Built-in simple logout page before production. default_type text/plain; return 200 "Logged out\n"; + + # Enable oidc.redirectPostLogout(), and disable the above built-in logout + # page if you want to redirect to either the landing page or custom + # logout page using the map of $post_logout_return_uri. + #js_content oidc.redirectPostLogout; } location @oidc_error { diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index e8a9759..e603ff1 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -28,6 +28,27 @@ map $host $oidc_jwt_keyfile { default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs"; } +map $host $oidc_logout_endpoint { + default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/logout"; +} + +map $host $oidc_logout_query_params_option { + # 0: default query params for the RP-initiated logout + # 1: extra query params is added after the default query params + # 2: replace default query params with custom query params + default 0; +} + +map $host $oidc_logout_query_params { + # Each IdP may use different query params of the $oidc_logout_endpoint. For + # example, The Amazon Cognito requires `client_id` and `logout_uri`. The + # Auth0 requires `client_id` and `returnTo`. If the map value is empty, then + # `post_logout_redirect_uri` and `id_token_hint` are used as default query + # params for most of IdPs like AzureAD/Okta/Keycloak/OneLogin/PingIdentity. + default ""; + #www.example.com "client_id=$oidc_client&logout_uri=$redirect_base/_logout"; +} + map $host $oidc_client { default "my-client-id"; } @@ -44,12 +65,38 @@ map $host $oidc_scopes { default "openid+profile+email+offline_access"; } +map $host $oidc_landing_page { + # Where to send browser after successful login. This option is only + # recommended for scenarios where a landing page shows default information + # without login, and the RP redirects to the landing page after successful + # login from the OP. If this is empty, then the RP redirects to $request_uri. + default ""; + #www.example.com $redirect_base; +} + map $host $oidc_logout_redirect { - # Where to send browser after requesting /logout location. This can be - # replaced with a custom logout page, or complete URL. + # This is a RP's callback URI which is called by OP after successful logout. default "/_logout"; # Built-in, simple logout page } +map $host $post_logout_return_uri { + # Where to send browser after the RP requests /logout to the OP, and after + # the RP (/_logout) is called by the OP and cleans cookies. The following + # examples can be replaced with a custom logout page, or a complete URL. + # If this is empty, then the RP redirects to $request_uri. + + default ""; + + # Enable if you want to redirect to the landing page + # www.example.com $oidc_landing_page; + + # Enable and edit if you want to redirect to a custom logout page + #www.example.com $redirect_base/signout; + + # Enable and edit if you want to redirect to an another complete URL + #www.example.com https://www.nginx.com; +} + map $host $oidc_hmac_key { # This should be unique for every NGINX instance/cluster default "ChangeMe";