Token Request Through Corporate Proxy
shumphre opened this issue · 3 comments
How do we change the token request to go through a corporate proxy server.
location = /token {
# This location is called by oidcCodeExchange(). We use the proxy directives
# to construct the OpenID Connect token request, as per:
# http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
internal;
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_body "grant_type=authorization_code&code=$arg_code&client_id=$oidc_client&client_secret=$oidc_client_secret&redirect_uri=$scheme://$host:$server_port$redir_location";
proxy_method POST;
proxy_pass $oidc_token_endpoint;
}
This is not currently possible. NGINX expects that it can proxy directly to the proxy_pass target. If the IdP is external then we recommend a hole in the firewall for this very specific interaction.
You could use socat to do this but that is outside the scope of this repo I would say. I have an ansible role where I'm working on using that with kubernetes. You'll need to change the 3 locations to point to the socat name (you could install it on the same box and point to itself with the right port).
The Readme points to the three locations. You need to also add the proxy_set_header Host login.microsoftonline.com; (or whatever it is you're using for those locations).
Edit openid_connect.server_conf and for each of the /_jwks_uri, /_token, and /_refresh locations, add the following configuration snippet:
proxy_set_header Host ;
proxy_ssl_name ;
Again this is just to point you in the right direction, if you're not familiar with any of that it could be quite a bit of work. NGINX basically will call the socat tunnel passing the host header of the right external DNS name. Then the socat will tunnel that to your forward proxy.
@magicalyak Thanks for the suggestion. I'm running kubernetes so I created sidecar that could proxy the requests to the OIDC server, and changed the configuration to point to my sidecar.