nginx-openid-connect/nginx-oidc-core-v1

Add endpoints (/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment

shawnhankim opened this issue · 3 comments

shawnhankim commented

Background:

  • Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.
  • Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.
  • Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.
  • The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.

Acceptance Criteria:

  • Add /userinfo endpoint:

    • Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
    • Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
    • The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token. 
      Authorization : Bearer <access_token>
    • The response coming from IdP should be returned back to the caller as it is.

  • Expose /login endpoint:

    • Expose the /login endpoint as a location block here (openid_connect.server_conf)
    • Proxy it to existing IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
    • This would outsource the login function to IdP as its configured.

  • Expose /v2/logout endpoint or enhance /logout endpoint:

    • Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .

    • Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.

    • Option 1. Expose endpoints of /v2/logout and /v2/_logout

      • /v2/logout: NGINX Plus calls IdP's end session endpoint ($oidc_end_session_endpoint) to finish the session by IdP.
      • /v2/_logout (Callback endpoint):
          1. Redirected by IdP when IdP successfully finished the session.
          1. NGINX Plus: Clear session cookies.
          1. NGINX Plus: Redirect to either the original landing page or the custom logout page by calling `$post_logout_return_uri.

    • Option 2. Enhance endpoints of /logout and /_logout unless it doesn't block existing customers:

      • As-Is: NJS implementation provides an example of clearing cookie, and show a simple logout message. So customers need to implement full business logic to interact with IdP's end session endpoint.
      • To-Be: Existing customers can either keep the legacy business logic or use the new reference implementation (option 1) using logout and /_logout.

    • Capture logout endpoint (oidc_logout_endpoint of IDP in a map variable as same as authz and token endpoints here (openid_connect_configuration.conf).

  • Add a bundle SPA to simulate OIDC.

    • Provide a frontend application to easily simulate OIDC workflow.
      • Login button
      • Logout button
      • Call a proxied API button by adding a sample API endpoint to test an API resource using access token that is received by IDP.

    oidc-original-landing-page

    oidc-sample-proxied-api

  • Add a Docker container environment to locally simulate OIDC.
    make-watch

Assumptions:

  • IdP is configured with $oidc_logout_redirect_uri at the time of creating the resource credentials along with /_codexch.
  • It is expected that NGINX Plus would always verify the token(s) validity and integrity before sending it to the client or backend.
  • Developers replace a bundle SPA with their app after making sure the OIDC setup/test work among a bundle SPA, NGINX Plus and IdP.
shawnhankim commented

Task Steps:

  • PR for NGINX Plus repo.
  • PR for NGINX Ingress Controller repo.
shawnhankim commented

Compatibility:

  • This issue will not block the existing features as there would be no change of variables, and this is just to add features.
shawnhankim commented

I have consolidated this issue into #13.