revert OIDC updates to unblock main (#7750)

Author: vepatel

internal/configs/oidc/oidc.conf

@@ -1,7 +1,6 @@
     # Advanced configuration START
     set $internal_error_message "NGINX / OpenID Connect login failure\n";
     set $pkce_id "";
-    set $idp_sid "";
     # resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
     subrequest_output_buffer_size 32k; # To fit a complete tokenset response
     gunzip on; # Decompress IdP responses if necessary
@@ -38,48 +37,33 @@
         # to construct the OpenID Connect token request, as per:
         #  http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
         internal;
-
-        # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
-        proxy_pass_request_headers off;
-
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;
-    }
+   }
 
     location = /_refresh {
         # This location is called by oidcAuth() when performing a token refresh. We
         # use the proxy_ directives to construct the OpenID Connect token request, as per:
         #  https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
         internal;
-
-        # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
-        proxy_pass_request_headers off;
-
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;
     }
 
-    location = /_token_validation {
+    location = /_id_token_validation {
         # This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use
         # the auth_jwt_module to validate the OpenID Connect token response, as per:
         #  https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
         internal;
         auth_jwt "" token=$arg_token;
-        js_content oidc.extractTokenClaims;
+        js_content oidc.validateIdToken;
         error_page 500 502 504 @oidc_error;
     }
 
-    location = /front_channel_logout {
-        status_zone "OIDC logout";
-        add_header Cache-Control "no-store";
-        default_type text/plain;
-        js_content oidc.handleFrontChannelLogout;
-    }
-
     location = /logout {
         status_zone "OIDC logout";
         add_header Set-Cookie "auth_token=; $oidc_cookie_flags";

internal/configs/oidc/oidc_common.conf

@@ -20,7 +20,6 @@ proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
 keyval_zone zone=oidc_id_tokens:1M     timeout=1h sync;
 keyval_zone zone=oidc_access_tokens:1M timeout=1h sync;
 keyval_zone zone=refresh_tokens:1M     timeout=8h sync;
-keyval_zone zone=oidc_sids:1M          timeout=8h;
 #keyval_zone zone=oidc_pkce:128K timeout=90s sync; # Temporary storage for PKCE code verifier.
 
 keyval $cookie_auth_token $session_jwt   zone=oidc_id_tokens;     # Exchange cookie for ID token(JWT)
@@ -29,7 +28,6 @@ keyval $cookie_auth_token $refresh_token zone=refresh_tokens;     # Exchange coo
 keyval $request_id $new_session          zone=oidc_id_tokens; # For initial session creation
 keyval $request_id $new_access_token     zone=oidc_access_tokens;
 keyval $request_id $new_refresh          zone=refresh_tokens; # ''
-keyval $idp_sid $client_sid              zone=oidc_sids;
 #keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
 
 auth_jwt_claim_set $jwt_audience aud; # In case aud is an array