access token and new endpoints (/login, /userinfo, /v2/logout)
shawnhankim opened this issue · 0 comments
Background:
-
Current NJS implementation disregard the
access_tokenthat is being sent by the IdP and only uses theid_tokento get stored in the NGINX Plus K/V store. -
Token Recommandation
When Using Do Don't ID Token - Assume the user is authenticated - Call an API - Get user profile data - Check if the client is allowed to access something. Access Token - Call an API - Inspect its content on the client - Check if the client is allowed to access something - Inspect its content on the server side -
Current NJS implementation doesn’t have
/loginand/userinfoendpoints for client apps (SPA) to interact with. -
Client Apps require
/loginfunction as part of relying party when a user clicks on login button from the landing page. -
Client Apps require
/userinfofunction as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps. -
The existing
/logoutfunction is required to extend the sign-off function on the IdP'send_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.
Acceptance Criteria:
-
Enhance the NJS Code to capture the
access_tokensent by the IdP. -
Store the
access_tokenin the k/v store as same as we storeid_tokenandrefresh_token -
Add
/userinfoendpoint:- Add a map variable of
$oidc_userinfo_endpointas same as authz and token endpoints here (openid_connect_configuration.conf) . - Expose
/userinfoendpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP'suserinfo_endpointwhich is defined in the endpoint ofwell-known/openid-configuration. - The nginx location block should proxy to the IdP’s
userinfo_endpointby addingaccess_tokenas a bearer token.Authorization : Bearer <access_token> - The response coming from IdP should be returned back to the caller as it is.
- Add a map variable of
-
Expose
/loginendpoint:- Expose the
/loginendpoint as a location block here (openid_connect.server_conf) - Proxy it to the IdP's
authorization_endpointconfigured in the map variable of$oidc_authz_endpointin (openid_connect_configuration.conf). - This would outsource the login function to IdP as its configured.
- Expose the
-
Expose
/v2/logoutendpoint:- Expose the
/v2/logoutendpoint as a location block here (openid_connect.server_conf) - Add a map variable of
$oidc_end_session_endpointas same as authz and token endpoints here (openid_connect_configuration.conf) . - Proxy it to the IdP's
end_session_endpointto finish the session by IdP.
- Expose the
-
Expose
/v2/_logoutendpoint:- Expose
/v2/_logoutendpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.-
- Redirected by IdP when IdP successfully finished the session.
-
- NGINX Plus: Clear session cookies.
-
- NGINX Plus: Redirect to either the original landing page or the custom logout page by calling
-
- Add a map of
$post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of$redirect_base.
- Expose
Compatibility:
- This issue will not block the existing features as there would be no change of variables, and this is just to add features.
Exceptions:
- The docs will be enhanced with a separate PR.
- The demo as a quick start guide will be provided with a separate PR.