-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
access token and new endpoints (/login, /userinfo, /v2/logout) #55
Comments
This was referenced Nov 9, 2022
Closed
Closed
shawnhankim
changed the title
Add endpoints (/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment
access token and new endpoints (/login, /userinfo, /v2/logout)
Nov 17, 2022
This was referenced Nov 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background:
Current NJS implementation disregard the
access_token
that is being sent by the IdP and only uses theid_token
to get stored in the NGINX Plus K/V store.Token Recommandation
courtesy: ID Token and Access Token: What's the Difference?
Current NJS implementation doesn’t have
/login
and/userinfo
endpoints for client apps (SPA) to interact with.Client Apps require
/login
function as part of relying party when a user clicks on login button from the landing page.Client Apps require
/userinfo
function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.The existing
/logout
function is required to extend the sign-off function on the IdP'send_session_endpoint
. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.Acceptance Criteria:
Enhance the NJS Code to capture the
access_token
sent by the IdP.Store the
access_token
in the k/v store as same as we storeid_token
andrefresh_token
Add
/userinfo
endpoint:$oidc_userinfo_endpoint
as same as authz and token endpoints here (openid_connect_configuration.conf
) ./userinfo
endpoint here(openid_connect.server_conf
) in a location block of NGINX Plus to interact with IdP'suserinfo_endpoint
which is defined in the endpoint ofwell-known/openid-configuration
.userinfo_endpoint
by addingaccess_token
as a bearer token.Expose
/login
endpoint:/login
endpoint as a location block here (openid_connect.server_conf
)authorization_endpoint
configured in the map variable of$oidc_authz_endpoint
in (openid_connect_configuration.conf
).Expose
/v2/logout
endpoint:/v2/logout
endpoint as a location block here (openid_connect.server_conf
)$oidc_end_session_endpoint
as same as authz and token endpoints here (openid_connect_configuration.conf
) .end_session_endpoint
to finish the session by IdP.Expose
/v2/_logout
endpoint:/v2/_logout
endpoint which is a callback from IdP as a location block here (openid_connect.server_conf
) to handle the following sequences.$post_logout_return_uri
: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of$redirect_base
.Compatibility:
Exceptions:
The text was updated successfully, but these errors were encountered: