Change needed to support OneLogin OIDCv2
bsima opened this issue · 3 comments
OneLogin is deprecating their v1 OIDC endpoints. They have an upgrade guide but this doesn't tell you that the offline_access scope is not supported.
That's mentioned here:
Using this scope with Implicit or Authorization Code flow will cause an error.
The following patch seems to resolve this:
diff --git a/openid_connect.server_conf b/openid_connect.server_conf
index 95421d2..15f3391 100644
--- a/openid_connect.server_conf
+++ b/openid_connect.server_conf
@@ -7,7 +7,9 @@
# This URL should work for most OpenID Connect providers.
# Adjust the scope or state values as required (offline_access enables refresh tokens)
- return 302 "$oidc_authz_endpoint?response_type=code&scope=openid+profile+email+offline_access&client_id=$oidc_client&state=0&redirect_uri=$scheme://$host:$server_port$redir_location&nonce=$requestid_hash";
+ # bsima: remove offline_access because it OneLogin's OIDCv2 doesn't
+ # like it? https://developers.onelogin.com/openid-connect/scopes
+ return 302 "$oidc_authz_endpoint?response_type=code&scope=openid+profile+email&client_id=$oidc_client&state=0&redirect_uri=$scheme://$host:$server_port$redir_location&nonce=$requestid_hash";
}
# We have a refresh token so perform refresh operation
@@ -39,7 +41,7 @@
# Catch errors from oidcCodeExchange()
# 500 = token validation error, 502 = error from IdP, 504 = IdP timeout
- error_page 500 502 504 @oidc_error;
+ error_page 500 502 504 @oidc_error;
access_log /var/log/nginx/oidc_auth.log main_jwt;
error_log /var/log/nginx/oidc_error.log debug;
@@ -112,5 +114,5 @@
allow 127.0.0.1; # Only the NGINX host may call the NIGNX Plus API
deny all;
}
-
+
# vim: syntax=nginxI'm not sure if this patch should be upstreamed or not, I'm just sharing this in case anyone else runs into this problem.
Scopes now have their own configuration entry
https://github.com/nginxinc/nginx-openid-connect/blob/main/openid_connect_configuration.conf#L32
Thanks for the heads-up about OneLogin's changes, we will update the integration guide
https://docs.nginx.com/nginx/deployment-guides/single-sign-on/onelogin/#nginx-plus
Ah, so the correct patch is:
diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
index 753832c..8d8ea79 100644
--- a/openid_connect_configuration.conf
+++ b/openid_connect_configuration.conf
@@ -29,7 +29,7 @@ map $host $oidc_client_secret {
}
map $host $oidc_scopes {
- default "openid+profile+email+offline_access";
+ default "openid+profile+email";
}
map $host $oidc_logout_redirect {I guess I was based on an old master branch.
Yes, that should solve for the OneLogin changes. The configuration for $oidc_scopes is intended for handling IdP-specific requirements such as this. So thanks for the patch, but it is not appropriate to change the default configuration just for OneLogin.