nginx · vepatel · May 1, 2025 · Apr 29, 2025 · Apr 29, 2025 · Apr 29, 2025
@@ -1,6 +1,7 @@
     # Advanced configuration START
     set $internal_error_message "NGINX / OpenID Connect login failure\n";
     set $pkce_id "";
+    set $idp_sid "";
     # resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
     subrequest_output_buffer_size 32k; # To fit a complete tokenset response
     gunzip on; # Decompress IdP responses if necessary
@@ -37,33 +38,48 @@
         # to construct the OpenID Connect token request, as per:
         #  http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
         internal;
+
+        # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
+        proxy_pass_request_headers off;
+
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;
-   }
+    }
 
     location = /_refresh {
         # This location is called by oidcAuth() when performing a token refresh. We
         # use the proxy_ directives to construct the OpenID Connect token request, as per:
         #  https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
         internal;
+
+        # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
+        proxy_pass_request_headers off;
+
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;
     }
 
-    location = /_id_token_validation {
+    location = /_token_validation {
         # This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use
         # the auth_jwt_module to validate the OpenID Connect token response, as per:
         #  https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
         internal;
         auth_jwt "" token=$arg_token;
-        js_content oidc.validateIdToken;
+        js_content oidc.extractTokenClaims;
         error_page 500 502 504 @oidc_error;
     }
 
+    location = /front_channel_logout {
+        status_zone "OIDC logout";
+        add_header Cache-Control "no-store";
+        default_type text/plain;
+        js_content oidc.handleFrontChannelLogout;
+    }
+
     location = /logout {
         status_zone "OIDC logout";
         add_header Set-Cookie "auth_token=; $oidc_cookie_flags";

@@ -20,6 +20,7 @@ proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
 keyval_zone zone=oidc_id_tokens:1M     timeout=1h sync;
 keyval_zone zone=oidc_access_tokens:1M timeout=1h sync;
 keyval_zone zone=refresh_tokens:1M     timeout=8h sync;
+keyval_zone zone=oidc_sids:1M          timeout=8h;
 #keyval_zone zone=oidc_pkce:128K timeout=90s sync; # Temporary storage for PKCE code verifier.
 
 keyval $cookie_auth_token $session_jwt   zone=oidc_id_tokens;     # Exchange cookie for ID token(JWT)
@@ -28,6 +29,7 @@ keyval $cookie_auth_token $refresh_token zone=refresh_tokens;     # Exchange coo
 keyval $request_id $new_session          zone=oidc_id_tokens; # For initial session creation
 keyval $request_id $new_access_token     zone=oidc_access_tokens;
 keyval $request_id $new_refresh          zone=refresh_tokens; # ''
+keyval $idp_sid $client_sid              zone=oidc_sids
 #keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
 
 auth_jwt_claim_set $jwt_audience aud; # In case aud is an array