Add OIDC landing page and login endpoint

nginxinc · Dec 30, 2022 · a72793e · a72793e
1 parent 6ad8ec6
commit a72793e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/openid_connect.js b/openid_connect.js
@@ -188,7 +188,7 @@ function codeExchange(r) {
  r.log("OIDC success, creating session " + r.variables.request_id);
  r.variables.new_session = tokenset.id_token; // Create key-value store entry
  r.headersOut["Set-Cookie"] = "auth_token=" + r.variables.request_id + "; " + r.variables.oidc_cookie_flags;
- r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
+ redirectPostLogin();
  }
  );
  } catch (e) {
@@ -253,6 +253,15 @@ function validateIdToken(r) {
  }
 }
 
+// Redirect URI after successful login from the OP.
+function redirectPostLogin(r) {
+ if (r.variables.oidc_landing_page) {
+ r.return(302, r.variables.oidc_landing_page);
+ } else {
+ r.return(302, r.variables.redirect_base + r.variables.cookie_auth_redir);
+ }
+}
+
 function logout(r) {
  r.log("OIDC logout for " + r.variables.cookie_auth_token);
  r.variables.session_jwt = "-";

diff --git a/openid_connect.server_conf b/openid_connect.server_conf
@@ -66,6 +66,17 @@
  error_page 500 502 504 @oidc_error;
  }
 
+ location = /login {
+ # This location can be called by SPA for scenarios where `/` location is
+ # proxied to SPA landing page that doesn't need to be started with user
+ # authentication, and a user clicks on login button to start OIDC flow.
+ auth_jwt "" token=$session_jwt;
+ error_page 401 = @do_oidc_flow;
+
+ auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+ #auth_jwt_key_request /_jwks_uri; # Enable when using URL
+ }
+
  location = /logout {
  status_zone "OIDC logout";
  add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie

diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -44,6 +44,13 @@ map $host $oidc_scopes {
   default "openid+profile+email+offline_access";
 }
 
+map $host $oidc_landing_page {
+ # Where to send browser after successful login. If empty, redirects User 
+ # Agent to $request_uri.
+  default "";
+ #www.example.com $redirect_base;
+}
+
 map $host $oidc_logout_redirect {
  # Where to send browser after requesting /logout location. This can be
  # replaced with a custom logout page, or complete URL.