nginxinc/nginx-openid-connect

Capture access token from IdP

shawnhankim opened this issue · 2 comments

shawnhankim commented

Background:

  • Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.

  • Token Recommandation

    When Using Do Don't
    ID Token - Assume the user is authenticated - Call an API
    - Get user profile data - Check if the client is allowed to access something.
    Access Token - Call an API - Inspect its content on the client
    - Check if the client is allowed to access something
    - Inspect its content on the server side

    courtesy: ID Token and Access Token: What's the Difference?

Acceptance Criteria:

  • Enhance the NJS Code to capture the access_token sent by the IdP.
  • Store the access_token in the k/v store as same as we store id_token and refresh_token

Compatibility:

  • This issue will not block the existing features as there would be no change of variables, and this is just to add features.
shawnhankim commented

@route443 : You can use this PR if you want to test the access token.

shawnhankim commented

Per discussion with @route443 : I close this PR because I have consolidated this PR into #55. Thanks @route443 for your time. 👍