github.com/nginxinc/kubernetes-ingress@v1.12.5/internal/configs/oidc/oidc.conf (about) 1 # Advanced configuration START 2 set $internal_error_message "NGINX / OpenID Connect login failure\n"; 3 set $pkce_id ""; 4 # resolver 8.8.8.8; # For DNS lookup of IdP endpoints; 5 subrequest_output_buffer_size 32k; # To fit a complete tokenset response 6 gunzip on; # Decompress IdP responses if necessary 7 # Advanced configuration END 8 9 location = /_jwks_uri { 10 internal; 11 proxy_cache jwk; # Cache the JWK Set recieved from IdP 12 proxy_cache_valid 200 12h; # How long to consider keys "fresh" 13 proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP 14 proxy_ssl_server_name on; # For SNI to the IdP 15 proxy_method GET; # In case client request was non-GET 16 proxy_set_header Content-Length ""; # '' 17 proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here 18 proxy_ignore_headers Cache-Control Expires Set-Cookie; # Does not influence caching 19 } 20 21 location @do_oidc_flow { 22 status_zone "OIDC start"; 23 js_content oidc.auth; 24 default_type text/plain; # In case we throw an error 25 } 26 27 #set $redir_location "/_codexch"; 28 location = /_codexch { 29 # This location is called by the IdP after successful authentication 30 status_zone "OIDC code exchange"; 31 js_content oidc.codeExchange; 32 error_page 500 502 504 @oidc_error; 33 } 34 35 location = /_token { 36 # This location is called by oidcCodeExchange(). We use the proxy_ directives 37 # to construct the OpenID Connect token request, as per: 38 # http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest 39 internal; 40 proxy_ssl_server_name on; # For SNI to the IdP 41 proxy_set_header Content-Type "application/x-www-form-urlencoded"; 42 proxy_set_body "grant_type=authorization_code&client_id=$oidc_client&$args&redirect_uri=$redirect_base$redir_location"; 43 proxy_method POST; 44 proxy_pass $oidc_token_endpoint; 45 } 46 47 location = /_refresh { 48 # This location is called by oidcAuth() when performing a token refresh. We 49 # use the proxy_ directives to construct the OpenID Connect token request, as per: 50 # https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken 51 internal; 52 proxy_ssl_server_name on; # For SNI to the IdP 53 proxy_set_header Content-Type "application/x-www-form-urlencoded"; 54 proxy_set_body "grant_type=refresh_token&refresh_token=$arg_token&client_id=$oidc_client&client_secret=$oidc_client_secret"; 55 proxy_method POST; 56 proxy_pass $oidc_token_endpoint; 57 } 58 59 location = /_id_token_validation { 60 # This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use 61 # the auth_jwt_module to validate the OpenID Connect token response, as per: 62 # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation 63 internal; 64 auth_jwt "" token=$arg_token; 65 js_content oidc.validateIdToken; 66 error_page 500 502 504 @oidc_error; 67 } 68 69 location = /logout { 70 status_zone "OIDC logout"; 71 add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie 72 add_header Set-Cookie "auth_redir=; $oidc_cookie_flags"; # Erase original cookie 73 js_content oidc.logout; 74 } 75 76 location = /_logout { 77 # This location is the default value of $oidc_logout_redirect (in case it wasn't configured) 78 default_type text/plain; 79 return 200 "Logged out\n"; 80 } 81 82 location @oidc_error { 83 # This location is called when oidcAuth() or oidcCodeExchange() returns an error 84 status_zone "OIDC error"; 85 default_type text/plain; 86 return 500 $internal_error_message; 87 } 88 89 # location /api/ { 90 # api write=on; 91 # allow 127.0.0.1; # Only the NGINX host may call the NIGNX Plus API 92 # deny all; 93 # access_log off; 94 # } 95 96 # vim: syntax=nginx