nginxinc
diff --git a/‎frontend.conf
Lines changed: 24 additions & 120 deletions b/‎frontend.conf
Lines changed: 24 additions & 120 deletions
diff --git a/‎openid_connect.js
Lines changed: 82 additions & 61 deletions b/‎openid_connect.js
Lines changed: 82 additions & 61 deletions
@@ -1,19 +1,6 @@
-# -----------------------------------------------------------------------------#
-#                                                                              #
-#        Sample Reverse Proxy Configuration: Frontend Site, Backend App        #
-#                       (for Open ID Connect workflow)                         #
-#                                                                              #
-# -----------------------------------------------------------------------------#
-
-# -----------------------------------------------------------------------------#
-#                                                                              #
-# 1. Basic Example: Landing page starts OIDC workflow w/o login/logout button. #
-#                                                                              #
-# -----------------------------------------------------------------------------#
-
-# This is the backend application we are protecting with OpenID Connect
+# This is the backend site/application we are protecting with OpenID Connect
 upstream my_backend {
-    zone my_backend 64k;
+    zone my_frontend_site 64k;
     server 10.0.0.1:80;
 }
 
@@ -28,122 +15,39 @@ server {
     error_log /var/log/nginx/error.log debug;  # Reduce severity level as required
 
     listen 8010; # Use SSL/TLS in production
-    
+
     location / {
-        # This site is protected with OpenID Connect
+        # This site can be either directly protected with OpenID Connect or
+        # shown with just a landing page without login.
+
+        # Disable when you need to show a default landing page before login.
         auth_jwt "" token=$session_jwt;
         error_page 401 = @do_oidc_flow;
+        auth_jwt_key_file $oidc_jwt_keyfile;  # Enable when using filename
+        #auth_jwt_key_request /_jwks_uri;     # Enable when using URL
 
-        auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
-        #auth_jwt_key_request /_jwks_uri; # Enable when using URL
-
-        # Successfully authenticated users are proxied to the backend,
-        # with 'sub' claim passed as HTTP header
-        proxy_set_header username $jwt_claim_sub;
-        proxy_pass http://my_backend; # The backend site/app
-        
-        access_log /var/log/nginx/access.log main_jwt;
-    }
-}
+        # Successfully authenticated users are proxied to the backend site/app
+        # with 'sub' claim passed as HTTP header. It is empty before login.
+        proxy_set_header userid $jwt_claim_sub;
 
-# -----------------------------------------------------------------------------#
-#                                                                              #
-# 2. Advanced Example: Landing page, login/logout button to handle OIDC kflow  #
-#                                                                              #
-#  - Landing page shows 'login' button                                         #
-#  - 'login' button calls `/login` endpoint to start OIDC flow by validating 
-#    'id_token' w/ IdP's JWK.  #
-#  - Landing page calls `/userinfo` to show user info using 'access_token`.    #
-#  - 'logout' button to be finished OIDC session by IdP.                       #
-#  - API authorization by validating `access_token` w/ IdP's JWK               #
-#                                                                              #
-# -----------------------------------------------------------------------------#
-
-#
-# Upstream server for proxing to the frontend site.
-# - Example of a bundle frontend app to locally test NGINX Plus OIDC workflow.
-#   https://github.com/nginx-openid-connect/nginx-oidc-examples/blob/main/001-oidc-local-test/docker/build-context/nginx/sample/proxy_server_frontend.conf
-#   This link is subject to change.
-# - Modify this configuration to match your frontend site.
-#
-upstream my_frontend_site {
-    zone my_frontend_site 64k;
-    server 127.0.0.1:9091;
-}
-
-#
-# Upstream sample for proxing to the backend API server.
-# - Example of a bundle backend app to locally test an API using access token.
-#   + https://github.com/nginx-openid-connect/nginx-oidc-examples/blob/main/001-oidc-local-test/docker/build-context/nginx/sample/proxy_server_backend.conf
-#   This link is subject to change.
-# - Modify this configuration to match your backend app.
-#
-upstream my_backend_app {
-    zone my_backend_app 64k;
-    server 127.0.0.1:9092;
-}
-
-#
-# Sample Frontend-site & backend-api-server for the OIDC workflow.
-#
-server {
-    # Enable when debugging is needed.
-    error_log  /var/log/nginx/error.log  debug; # Reduce severity level as required
-    access_log /var/log/nginx/access.log main;
-
-    # Replace the following server name with your host name.
-    #
-    # [Example: if you want to locally test OIDC in your laptop]
-    #  - Add '127.0.0.1 nginx.oidc.test` in your `/etc/hosts'.
-    #  - Use the command like 'make start'.
-    #  - Type 'https://nginx.oidc.test' in your browser.
-    #  - You will see the sample landing page and 'Sign In' button.
-    #
-    listen 8020; # Use SSL/TLS in production
-    server_name nginx.oidc.test;
-
-    # Replace the following files with your certificate.
-    ssl_certificate     /etc/ssl/nginx/nginx-repo.crt;
-    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;
-
-    # OIDC workflow
-    include conf.d/openid_connect.server_conf;  
+        # The 'access_token' is set in the OIDC flow. Otherwise, it is empty.
+        proxy_set_header Authorization "Bearer $access_token";
 
-    #
-    # Frontend example:
-    #
-    #  - Default landing page: no need OIDC workflow to show 'Sign In' button.
-    #  - The site is protected with OpenID Connect(OIDC) by calling the API 
-    #    endpoint of `/login` when users click 'login' button.
-    #
-    location / {
-        proxy_pass http://my_frontend_site;
+        proxy_pass http://my_backend; # The frontend landing page
         access_log /var/log/nginx/access.log main_jwt;
     }
 
-    #
-    # Backend API example to interact with proxied backend service:
-    #
-    #  - This API resource is protected by access token which is received by IdP
-    #    after successful signing-in among the frontend site, NGINX Plus and IdP.
-    #
-    #  - To ensure that client requests access the API securely, access token is
-    #    used for API authorization.
-    #    + Most of IdP generate an access token for API authorization of IdP's
-    #      endpoints (like /userinfo) as well as customer's endpoints.
-    #    + But Azure AD generate two types of access token for API authorization
-    #      of Microsoft graph API endpoints and customers' endpoints.
-    #    + Therefore, we recommend that you use $session_jwt for Azure AD and
-    #      $access_token for most of IdPs such as Cognito, Auth0, Keycloak, Okta,
-    #      OneLogin, Ping Identity, etc as for now.
-    #
-    location /v1/api/example {
-        auth_jwt "" token=$access_token;      # Use $session_jwt for Azure AD
-        auth_jwt_key_request /_jwks_uri;      # Enable when using URL
+    location = /login {
+        # This location can be called by SPA to start OIDC flow via login button
+        # after starting a landing page without login.
+        auth_jwt "" token=$session_jwt;
+        error_page 401 = @do_oidc_flow;
+
         #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+        auth_jwt_key_request /_jwks_uri;      # Enable when using URL
 
-        proxy_set_header Authorization "Bearer $access_token";
-        proxy_pass http://my_backend_app;
+        # Redirect to the the landing page after successful login to AS.
+        js_content oidc.redirectPostLogin;
         access_log /var/log/nginx/access.log main_jwt;
     }
 }
 
@@ -5,14 +5,17 @@
  */
 var newSession = false; // Used by oidcAuth() and validateIdToken()
 
+const EXTRA_PARAMS = 1;
+const REPLACE_PARAMS = 2;
+
 export default {
     auth,
     codeExchange,
     validateIdToken,
     logout,
-    v2logout,
     redirectPostLogin,
-    redirectPostLogout
+    redirectPostLogout,
+    userInfo
 };
 
 function retryOriginalRequest(r) {
@@ -112,7 +115,11 @@ function auth(r, afterSyncCheck) {
                         // ID Token is valid, update keyval
                         r.log("OIDC refresh success, updating id_token for " + r.variables.cookie_auth_token);
                         r.variables.session_jwt = tokenset.id_token; // Update key-value store
-                        r.variables.access_token = tokenset.access_token;
+                        if (tokenset.access_token) {
+                            r.variables.access_token = tokenset.access_token;
+                        } else {
+                            r.variables.access_token = "-";
+                        }
 
                         // Update refresh token (if we got a new one)
                         if (r.variables.refresh_token != tokenset.refresh_token) {
@@ -196,7 +203,12 @@ function codeExchange(r) {
                         // Add opaque token to keyval session store
                         r.log("OIDC success, creating session " + r.variables.request_id);
                         r.variables.new_session = tokenset.id_token; // Create key-value store entry
-                        r.variables.new_access_token = tokenset.access_token;
+                        if (tokenset.access_token) {
+                            r.variables.new_access_token = tokenset.access_token;
+                        } else {
+                            r.variables.new_access_token = "-";
+                        }
+                        
                         r.headersOut["Set-Cookie"] = "auth_token=" + r.variables.request_id + "; " + r.variables.oidc_cookie_flags;
                         r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
                    }
@@ -263,12 +275,31 @@ function validateIdToken(r) {
     }
 }
 
+//
+// Default RP-Initiated or Custom Logout w/ OP.
+// 
+// - An RP requests that the OP log out the end-user by redirecting the
+//   end-user's User Agent to the OP's Logout endpoint.
+// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
+// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
+//
 function logout(r) {
     r.log("OIDC logout for " + r.variables.cookie_auth_token);
-    r.variables.session_jwt = "-";
-    r.variables.access_token = "-";
-    r.variables.refresh_token = "-";
-    r.return(302, r.variables.oidc_logout_redirect);
+    var idToken = r.variables.session_jwt;
+    var queryParams = '?post_logout_redirect_uri=' + 
+                      r.variables.redirect_base + 
+                      r.variables.oidc_logout_redirect +
+                      '&id_token_hint=' + idToken;
+    if (r.variables.oidc_end_session_query_params_option == REPLACE_PARAMS) {
+        queryParams = '?' + r.variables.oidc_end_session_query_params;
+    } else if (r.variables.oidc_end_session_query_params_option == EXTRA_PARAMS) {
+        queryParams += '&' + r.variables.oidc_end_session_query_params;
+    } 
+    r.variables.request_id    = '-';
+    r.variables.session_jwt   = '-';
+    r.variables.access_token  = '-';
+    r.variables.refresh_token = '-';
+    r.return(302, r.variables.oidc_end_session_endpoint + queryParams);
 }
 
 function getAuthZArgs(r) {
@@ -312,66 +343,56 @@ function idpClientAuth(r) {
 }
 
 //
-// Redirect URI after logging in the IDP.
-function redirectPostLogin(r) {
-    r.return(302, r.variables.redirect_base + getIDTokenArgsAfterLogin(r));
-}
-
-//
-// Get query parameter of ID token after sucessful login:
-//
-// - For the variable of `returnTokenToClientOnLogin` of the APIM, this config
-//   is only effective for /login endpoint. By default, our implementation MUST
-//   not return any token back to the client app.
-// - If its configured it can send id_token in the request uri as 
-//   `?id_token=sdfsdfdsfs` after successful login. 
-//
+// Redirect URI after successful login from the OP.
 //
-function getIDTokenArgsAfterLogin(r) {
-    if (r.variables.return_token_to_client_on_login == 'id_token') {
-        return '?id_token=' + r.variables.id_token;
+function redirectPostLogin(r) {
+    if (r.variables.oidc_landing_page) {
+        r.return(302, r.variables.oidc_landing_page);
+    } else {
+        r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
     }
-    return '';
-}
-
-//
-// RP-Initiated or Custom Logout w/ Idp.
-// 
-// - An RP requests that the Idp log out the end-user by redirecting the
-//   end-user's User Agent to the Idp's Logout endpoint.
-// - TODO: Handle custom logout parameters if Idp doesn't support standard spec
-//         of 'OpenID Connect RP-Initiated Logout 1.0'.
-//
-// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
-// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
-//
-function v2logout(r) {
-    r.log("OIDC logout for " + r.variables.cookie_auth_token);
-    var idToken = r.variables.session_jwt;
-    var queryParams = getRPInitiatedLogoutArgs(r, idToken);
-
-    r.variables.request_id    = '-';
-    r.variables.session_jwt   = '-';
-    r.variables.access_token  = '-';
-    r.variables.refresh_token = '-';
-    r.return(302, r.variables.oidc_end_session_endpoint + queryParams);
 }
 
 //
-// Get query params for RP-initiated logout:
+// Redirect URI after logged-out from the OP.
 //
-// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
-// - https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RedirectionAfterLogout
-//
-function getRPInitiatedLogoutArgs(r, idToken) {
-    return '?post_logout_redirect_uri=' + r.variables.redirect_base
-                                        + r.variables.oidc_logout_redirect_uri +
-           '&id_token_hint='            + idToken;
+function redirectPostLogout(r) {
+    r.return(302, r.variables.post_logout_return_uri);
 }
 
 //
-// Redirect URI after logged-out from the IDP.
+// Return necessary user info claims after receiving and extracting all claims
+// that are received from the OpenID Connect Provider(OP).
 //
-function redirectPostLogout(r) {
-    r.return(302, r.variables.post_logout_return_uri);
-}
+function userInfo(r) {
+    r.subrequest('/_userinfo',
+        function(res) {
+            if (res.status == 200) {
+                var error_log = "OIDC userinfo JSON failure";
+                var claimsOP = ''; // Claims that are received by the OP.
+                try {
+                    claimsOP = JSON.parse(res.responseBody);
+                } catch (e) {
+                    error_log += ": " + res.responseBody;
+                    r.error(error_log);
+                    r.return(500);
+                    return;
+                }
+                // The claimsRP is to extract claims that are configured in
+                // $oidc_userinfo_response_data in the RP and send them to
+                // the client using the response of the OP.
+                var claimsRP = r.variables.oidc_userinfo_response_data.split(",");
+                var ret = {};
+                for (var i in claimsRP) {
+                    if (claimsRP[i] in claimsOP) {
+                        ret[claimsRP[i]] = claimsOP[claimsRP[i]];
+                    }
+                }
+                r.variables.user_info = JSON.stringify(ret);
+                r.return(200, r.variables.user_info);
+            } else {
+                r.return(res.status)
+            }
+        }
+    );
+}