I can't use the access_token from our identity provider as a variable in nginx?

Question

I can't use the access_token from our identity provider as a variable in nginx?

janvht opened this issue 5 years ago · 4 comments

The response from our idp when requesting a token looks like this:
{"access_token":"...",
"refresh_token":"...",
"scope":"...",
"id_token":"...",
"token_type":"...",
"expires_in":...,
"nonce":"..."
}

Next to the id_token which is available in nginx as $session_jwt, I would like to use the access_token to send it as a header to the proxied application.

Answer 1 · 2021-05-07T09:43:46.000Z

Thanks for the explanation. Is there a reason the id_token is unsuitable in this case? Too much information?

Answer 2 · 2021-05-10T07:19:47.000Z

Thanks for your response. I am responsible for the nginx-part and was asked to send both the id_token and access_token to be reverse-proxied application. This is the answer from our developers to the question why the access_token is needed: "We need the access token because this is the token that gives access to the resources/data for a user. The ID token is also needed to be able to crosscheck the user's identity with the data. So we need both token. The access_token is essential for oauth2/oidc."

Answer 3 · 2021-05-10T10:51:02.000Z

This morning we've managed to get it working by adding this:

 keyval_zone zone=access_tokens:1M state=/var/run/nginx/session-data/access_tokens.json timeout=8h;
 keyval $cookie_auth_token $access_token zone=access_tokens;
 keyval $request_id $new_access zone=access_tokens;

to the server config file and adding this

 r.variables.new_access = tokenset.access_token;

to the javascript's token validation part.

Answer 4 · 2021-05-17T08:30:44.000Z

Glad you got it working. We're looking into making this part of the reference implementation.