diff --git a/README.md b/README.md index 969dcd7..c437f6a 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,10 @@ For more information on OpenID Connect and JWT validation with NGINX Plus, see [ If a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens) was received from the IdP then it is also stored in the key-value store. When validation of the ID Token fails (typically upon expiry) then NGINX Plus sends the refresh token to the IdP. If the user's session is still valid at the IdP then a new ID token is received, validated, and updated in the key-value store. The refresh process is seamless to the client. +### Userinfo Endpoint + +The [Userinfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) is an OAuth 2.0 protected resource that returns claims about the authenticated End-User. For User Agent To obtain the requested claims about the End-User, NGINX Plus makes a request to the `$oidc_userinfo_endpoint` using an access token as the example of `/foobar` location in the config file of `frontend.conf`. These claims are normally represented by a JSON object that contains a collection of name and value pairs for the claims. + ### Logout Requests made to the `/logout` location invalidate both the ID token, access token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. Note that the IdP may issue cookies such that an authenticated session still exists at the IdP. @@ -102,6 +106,7 @@ When NGINX Plus is deployed behind another proxy, the original protocol and port * Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance * Obtain the URL for the **authorization endpoint** * Obtain the URL for the **token endpoint** + * Obtain the URL for the **userinfo endpoint** ## Configuring NGINX Plus diff --git a/configure.sh b/configure.sh index 17e8920..743ea25 100755 --- a/configure.sh +++ b/configure.sh @@ -120,7 +120,7 @@ fi # Build an intermediate configuration file # File format is: # -jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf +jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_userinfo_endpoint \(.userinfo_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf # Create a random value for HMAC key, adding to the intermediate configuration file echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf @@ -178,7 +178,7 @@ fi # Loop through each configuration variable echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf" -for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do +for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_userinfo_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do # Pull the configuration value from the intermediate file VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '` echo -n "$COMMAND: NOTICE: - $OIDC_VAR ..." diff --git a/frontend.conf b/frontend.conf index 0f503fe..dc4464f 100644 --- a/frontend.conf +++ b/frontend.conf @@ -40,6 +40,17 @@ server { access_log /var/log/nginx/access.log main_jwt; } + + location = /foobar { + # This location is an example for User Agent to obtain requested claims + # about the End-User if necessary: + # - https://openid.net/specs/openid-connect-core-1_0.html#UserInfo + error_page 401 = @do_oidc_flow; + proxy_intercept_errors on; + proxy_ssl_server_name on; + proxy_set_header Authorization "Bearer $access_token"; + proxy_pass $oidc_userinfo_endpoint; + } } # vim: syntax=nginx diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index 0aa69a4..15676a4 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -28,6 +28,10 @@ map $host $oidc_jwt_keyfile { default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs"; } +map $host $oidc_userinfo_endpoint { + default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo"; +} + map $host $oidc_client { default "my-client-id"; }