Skip to content

Commit

Permalink
Add OIDC landing page and login endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
shawnhankim committed Dec 30, 2022
1 parent 6ad8ec6 commit fe88c96
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 2 deletions.
13 changes: 11 additions & 2 deletions openid_connect.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
*/
var newSession = false; // Used by oidcAuth() and validateIdToken()

export default {auth, codeExchange, validateIdToken, logout};
export default {auth, codeExchange, validateIdToken, logout, redirectPostLogin};

function retryOriginalRequest(r) {
delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
Expand Down Expand Up @@ -188,7 +188,7 @@ function codeExchange(r) {
r.log("OIDC success, creating session " + r.variables.request_id);
r.variables.new_session = tokenset.id_token; // Create key-value store entry
r.headersOut["Set-Cookie"] = "auth_token=" + r.variables.request_id + "; " + r.variables.oidc_cookie_flags;
r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
redirectPostLogin();
}
);
} catch (e) {
Expand Down Expand Up @@ -253,6 +253,15 @@ function validateIdToken(r) {
}
}

// Redirect URI after successful login from the OP.
function redirectPostLogin(r) {
if (r.variables.oidc_landing_page) {
r.return(302, r.variables.oidc_landing_page);
} else {
r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
}
}

function logout(r) {
r.log("OIDC logout for " + r.variables.cookie_auth_token);
r.variables.session_jwt = "-";
Expand Down
11 changes: 11 additions & 0 deletions openid_connect.server_conf
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,17 @@
error_page 500 502 504 @oidc_error;
}

location = /login {
# This location can be called by SPA for scenarios where `/` location is
# proxied to SPA landing page that doesn't need to be started with user
# authentication, and a user clicks on login button to start OIDC flow.
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;

auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
#auth_jwt_key_request /_jwks_uri; # Enable when using URL
}

location = /logout {
status_zone "OIDC logout";
add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie
Expand Down
7 changes: 7 additions & 0 deletions openid_connect_configuration.conf
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,13 @@ map $host $oidc_scopes {
default "openid+profile+email+offline_access";
}

map $host $oidc_landing_page {
# Where to send browser after successful login. If empty, redirects User
# Agent to $request_uri.
default "";
#www.example.com $redirect_base;
}

map $host $oidc_logout_redirect {
# Where to send browser after requesting /logout location. This can be
# replaced with a custom logout page, or complete URL.
Expand Down

0 comments on commit fe88c96

Please sign in to comment.