NGINX Plus R17 update

Author: lcrilly

README.md

@@ -63,26 +63,28 @@ All files can be copied to **/etc/nginx/conf.d**
     * Set the **redirect URI** to the address of your NGINX Plus instance (including the port number), with `/_codexch` as the path, e.g. `https://my-nginx.example.com:443/_codexch`
     * Ensure NGINX Plus is configured as a confidential client (with a client secret)
     * Make a note of the `client ID` and `client secret`
+
+  * If your IdP supports OpenID Connect Discovery (usually at the URI `/.well-known-openid-configuration`) then use the `configure.sh` script to complete configuration. In this case you can skip the **frontend.conf** configuration. Otherwise:
     * Download the `jwks_uri` JWK file to your NGINX Plus instance
-    
-  * Obtain the URL for the **authorization endpoint**
-  
-  * Obtain the URL for the **token endpoint**
+    * Obtain the URL for the **authorization endpoint**
+    * Obtain the URL for the **token endpoint**
 
 ## Configuring NGINX Plus
 
 Review the following files copied from the GitHub repository so that they match your IdP configuration.
 
-  * **frontend.conf** - this is the reverse proxy configuration and where the IdP is configured
+  * **frontend.conf** - this is the reverse proxy configuration and where the IdP is configured. This file can be automatically configured by using the `configure.sh` script.
     * Modify the upstream group to match your backend site or app
+    * Modify the `resolver` directive to match a DNS server that is capable of resolving the IdP defined in `$oidc_token_endpoint`
     * Configure the preferred listen port and [enable SSL/TLS configuration](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)
     * Set the value of `$oidc_jwt_keyfile` to match the downloaded JWK file from the IdP and ensure that it is readable by the NGINX worker processes
     * Modify all of the `set $oidc_` directives to match your IdP configuration
     * Set a unique value for `$oidc_hmac_key` to ensure nonce values are unpredictable
 
   * **openid_connect.server_conf** - this is the NGINX configuration for handling the various stages of OpenID Connect authorization code flow
+    * No changes are usually required here
+    * If using [`auth_jwt_key_request`](http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html#auth_jwt_key_request) to automatically fetch the JWK file from the IdP then modify the validity period and other caching options to suit your IdP
     * Modify the `add_header Set-Cookie` directives with appropriate [cookie flags](https://en.wikipedia.org/wiki/HTTP_cookie#Terminology) to control the scope of single sign-on and security options, e.g. Domain; Path; Secure;
-    * Modify the `resolver` directive to match a DNS server that is capable of resolving the IdP defined in `$oidc_token_endpoint`
 
   * **openid_connect.js** - this is the JavaScript code for performing the authorization code exchange and nonce hashing
     * No changes are required unless modifying the code exchange or validation process

configure.sh

@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+# configure.sh (c) NGINX, Inc. [23-Nov-2018] Liam Crilly <[email protected]>
+
+COMMAND=${0##*/}
+CONFDIR=${0%/*}
+if [ $# -lt 1 ]; then
+	echo "USAGE: $COMMAND [options] <OpenID Connect confinguration URL>"
+        echo ""
+        echo "Configures NGINX Plus OpenID Connect reference implementation by using the IdP's Discovery interface"
+        echo ""
+        echo " URL typically ends with '/openid-configuration'"
+        echo " Options:"
+        echo " -k | --auth_jwt_key <file|request>  # Use auth_jwt_key_file (default) or auth_jwt_key_request (R17+)"
+        echo " -i | --client_id <id>               # Client ID as obtained from OpenID Connect Provider"
+        echo " -s | --client_secret <secret>       # Client secret as obtained from OpenID Connect Provider"
+	echo " -x | --insecure                     # Do not verify IdP's SSL certificate"
+	echo " -d | --dry_run                      # Produce configuration to stdout without modifying frontend.conf"
+        echo ""
+	exit 1
+fi
+
+# Process command line options
+#
+DO_JWKS_URI=0
+CLIENT_ID=""
+CLIENT_SECRET=""
+SED_OPT="-i.ORIG "
+while [ $# -gt 1 ]; do
+	case "$1" in
+		"-k" | "--auth_jwt_key")
+			if [ "$2" == "request" ]; then
+				DO_JWKS_URI=1
+			elif [ "$2" != "file" ]; then
+				echo "$COMMAND: ERROR: Valid arguments to $1 are 'file' or 'request'"
+				exit 1
+			fi
+			shift; shift
+			;;
+		"-i" | "--client_id" | "--client-id")
+			CLIENT_ID=$2
+			shift; shift
+			;;
+		"-s" | "--client_secret" | "--client-secret")
+			CLIENT_SECRET=$2
+			shift; shift
+			;;
+		"-x" | "--insecure" )
+			CURL_OPT="-k "
+			WGET_OPT="--no-check-certificate "
+			shift
+			;;
+		"-d" | "--dry_run" | "--dry-run")
+			SED_OPT=""
+			shift
+			;;
+		*)
+			echo "$COMMAND: ERROR: Invalid command line option ($1) - quitting"
+			exit 1
+			;;
+	esac
+done
+IDP_URL=$1
+
+# Check for dependencies
+#
+hash jq 2> /dev/null
+if [ $? -ne 0 ]; then
+	echo "$COMMAND: ERROR: 'jq' must be installed"
+	jq
+	exit 1
+fi
+
+for http_cli in  "wget ${WGET_OPT}-q -O -" "curl ${CURL_OPT}-sS"; do
+	hash ${http_cli%% *} 2> /dev/null # Remove chars beyond space
+	if [ $? -eq 0 ]; then
+		GET_URL=$http_cli
+		break #for
+	fi
+done
+if [ "$GET_URL" == "" ]; then
+	echo "$COMMAND: ERROR: 'curl' or 'wget' must be installed to download configuration data"
+	exit 1
+fi
+
+# Download the OpenID Connect Discovery document
+$GET_URL $IDP_URL > /tmp/${COMMAND}_$$_json
+
+# Test for exit error
+if [ $? -ne 0 ]; then
+	echo "$COMMAND: ERROR: Unable to connect to $IDP_URL"
+	cat /tmp/${COMMAND}_$$_json
+	rm /tmp/${COMMAND}_$$_json
+	exit 1
+fi
+
+# Test for valid JSON object
+jq -r .authorization_endpoint < /tmp/${COMMAND}_$$_json 2>&1 | grep -c ^http > /dev/null
+if [ $? -ne 0 ]; then
+	echo "$COMMAND: ERROR: $IDP_URL returned invalid OpenID Connect Discovery document"
+	cat /tmp/${COMMAND}_$$_json
+	rm /tmp/${COMMAND}_$$_json
+	exit 1
+fi
+
+# Build an intermediate configuration file (will be converted to sed(1) command file.
+# File format is: <NGINX variable name><space><IdP value>
+#
+jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
+
+# Create a random value for HMAC key, adding to the base mapping file
+echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf
+
+# Add client ID and secret to the base mapping file (if provided)
+if [ "$CLIENT_ID" != "" ]; then
+	echo "\$oidc_client $CLIENT_ID" >> /tmp/${COMMAND}_$$_conf
+fi
+if [ "$CLIENT_SECRET" != "" ]; then
+	echo "\$oidc_client_secret $CLIENT_SECRET" >> /tmp/${COMMAND}_$$_conf
+fi
+
+# Fetch or configure the JWK file depending on configuration input
+# Also apply appropriate auth_jwt_key_ configuration directive.
+# NB: auth_jwt_key_request requires NGINX Plus R17 or later
+#
+JWKS_URI=`jq -r .jwks_uri < /tmp/${COMMAND}_$$_json`
+if [ $DO_JWKS_URI -eq 0 ]; then
+	echo "$COMMAND: NOTICE: Downloading $CONFDIR/idp_jwk.json"
+	$GET_URL $JWKS_URI > $CONFDIR/idp_jwk.json
+	if [ $? -ne 0 ] || [ ! -s $CONFDIR/idp_jwk.json ]; then
+		echo "$COMMAND: ERROR: Failed to download from $JWKS_URI"
+		cat $CONFDIR/idp_jwk.json
+		exit 1
+	fi
+	echo "\$oidc_jwt_keyfile conf.d/idp_jwk.json" >> /tmp/${COMMAND}_$$_conf
+	echo "s/#\(auth_jwt_key_file\)/\1/" > /tmp/${COMMAND}_$$_sed # Uncomment
+	echo "s/ \(auth_jwt_key_request\)/ #\1/" >> /tmp/${COMMAND}_$$_sed # Comment-out
+else
+	echo "\$oidc_jwt_keyfile $JWKS_URI" >> /tmp/${COMMAND}_$$_conf
+	echo "s/ \(auth_jwt_key_file\)/ #\1/" > /tmp/${COMMAND}_$$_sed # Comment-out
+	echo "s/#\(auth_jwt_key_request\)/\1/" >> /tmp/${COMMAND}_$$_sed # Uncomment
+fi
+
+# Build the sed(1) command file (requires a lot of escaping)
+#
+sed -e "s/\//\\\\\//g" /tmp/${COMMAND}_$$_conf | awk '{print "s/\\("$1"\\) \\(.*\\);/\\1 \""$2"\";/"}' >> /tmp/${COMMAND}_$$_sed
+
+# Perform the substitutions on frontend.conf
+#
+echo "$COMMAND: NOTICE: Configuring $CONFDIR/frontend.conf"
+sed ${SED_OPT}-f /tmp/${COMMAND}_$$_sed $CONFDIR/frontend.conf
+
+if [ $? -eq 0 ]; then
+	echo "$COMMAND: NOTICE: Success - test configuration with 'nginx -t'"
+	rm /tmp/${COMMAND}_$$_*
+else
+	echo "$COMMAND: ERROR: Configuration failed, check intermediate files `ls -1 /tmp/${COMMAND}_$$_* | tr '\n' ' '`"
+fi

frontend.conf

@@ -13,6 +13,9 @@ js_include conf.d/openid_connect.js;
 js_set $requestid_hash hashRequestId;
 js_set $auth_token getAuthToken;
 
+# Caching for JWT keys when using 'auth_jwt_key_request' with NGINX Plus R17+
+proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:1m max_size=10m;
+
 # The frontend server - reverse proxy with OpenID Connect authentication
 #
 server {
@@ -22,7 +25,7 @@ server {
     resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
     subrequest_output_buffer_size 32k; # To fit a complete tokenset response
 
-    set $oidc_jwt_keyfile     /etc/nginx/my_idp_jwk.json;
+    set $oidc_jwt_keyfile     /etc/nginx/my_idp_jwk.json; # URL when using 'auth_jwt_key_request'
     set $oidc_authz_endpoint  "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth";
     set $oidc_token_endpoint  "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token";
     set $oidc_client          "my-client-id";
@@ -36,6 +39,7 @@ server {
         # This site is protected with OpenID Connect
         auth_jwt "" token=$cookie_auth_token;
         auth_jwt_key_file $oidc_jwt_keyfile;
+        #auth_jwt_key_request /_jwks_uri; # Requires NGINX Plus R17+
 
         # Absent/invalid OpenID Connect token will (re)start auth process
         error_page 401 @oidc_auth;
@@ -46,6 +50,7 @@ server {
         proxy_pass http://my_backend; # The backend site/app
 
         access_log /var/log/nginx/access.log main_jwt;
+        error_log  /var/log/nginx/oidc_error.log info;
     }
 }
 

openid_connect.server_conf

@@ -1,3 +1,20 @@
+    location = /_jwks_uri {
+	# This is where the JSON Web Key Set is fetched from the IdP and cached
+        internal;
+        proxy_cache jwk;
+        proxy_pass $oidc_jwt_keyfile;
+
+        # This configuration ignores all response headers that influence caching,
+        # and instead sets a fixed validity period before the JWK is re-fetched.
+        # See http://nginx.org/r/proxy_cache for all configuration options
+        proxy_cache_valid 200 12h;
+        proxy_cache_lock on;
+        proxy_cache_use_stale error timeout updating;
+        proxy_ignore_headers Cache-Control;
+        proxy_ignore_headers Expires;
+        proxy_ignore_headers Set-Cookie;
+    }
+
     location @oidc_auth {
         # Redirect this request to the OpenID Connect identity provider login page for this server{}
         # Using authorization code flow (nonce sent to IdP is hash of $request_id)
@@ -53,7 +70,6 @@
         #  https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
         internal;
         auth_jwt "" token=$arg_token;
-        auth_jwt_key_file $oidc_jwt_keyfile;
         js_content validateIdToken;
 
         error_log  /var/log/nginx/oidc_error.log debug;