|
| 1 | +# This is the backend application we are protecting with OpenID Connect |
| 2 | +upstream my_backend { |
| 3 | + zone my_backend 64k; |
| 4 | + server 10.0.0.1:80; |
| 5 | +} |
| 6 | + |
| 7 | +# Custom log format to include the 'sub' claim in the REMOTE_USER field |
| 8 | +log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status ' |
| 9 | + '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; |
| 10 | + |
| 11 | +# JavaScript code for OpenID Connect |
| 12 | +js_include conf.d/openid_connect.js; |
| 13 | +js_set $requestid_hash hashRequestId; |
| 14 | + |
| 15 | +keyval_zone zone=opaque_sessions:1M state=conf.d/opaque_sessions.json timeout=1h; # CHANGE timeout to JWT/exp validity period |
| 16 | +keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h; # CHANGE timeout to refresh validity period |
| 17 | + |
| 18 | +keyval $cookie_auth_token $session_jwt zone=opaque_sessions; # Exchange cookie for JWT |
| 19 | +keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token |
| 20 | +keyval $request_id $new_session zone=opaque_sessions; # For initial session creation |
| 21 | +keyval $request_id $new_refresh zone=refresh_tokens; # " |
| 22 | + |
| 23 | +# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user |
| 24 | +proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m; |
| 25 | + |
| 26 | +# The frontend server - reverse proxy with OpenID Connect authentication |
| 27 | +# |
| 28 | +server { |
| 29 | + include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing |
| 30 | + |
| 31 | + # OpenID Connect Provider (IdP) configuration |
| 32 | + resolver 8.8.8.8; # For DNS lookup of IdP endpoints; |
| 33 | + subrequest_output_buffer_size 32k; # To fit a complete tokenset response |
| 34 | + |
| 35 | + set $oidc_jwt_keyfile /etc/nginx/my_idp_jwk.json; # URL when using 'auth_jwt_key_request' |
| 36 | + set $oidc_logout_redirect "/_logout"; Where to send browser after requesting /logout location |
| 37 | + set $oidc_authz_endpoint "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth"; |
| 38 | + set $oidc_token_endpoint "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token"; |
| 39 | + set $oidc_client "my-client-id"; |
| 40 | + set $oidc_client_secret "my-client-secret"; |
| 41 | + set $oidc_hmac_key "ChangeMe"; # This should be unique for every NGINX instance/cluster |
| 42 | + |
| 43 | + listen 8010; # Use SSL/TLS in production |
| 44 | + |
| 45 | + location / { |
| 46 | + # This site is protected with OpenID Connect |
| 47 | + auth_jwt "" token=$session_jwt; |
| 48 | + auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename |
| 49 | + #auth_jwt_key_request /_jwks_uri; # Enable when using URL |
| 50 | + |
| 51 | + # Absent/invalid OpenID Connect token will (re)start auth process (including refresh) |
| 52 | + error_page 401 @oidc_auth; |
| 53 | + |
| 54 | + # Successfuly authenticated users are proxied to the backend, |
| 55 | + # with 'sub' claim passed as HTTP header |
| 56 | + proxy_set_header username $jwt_claim_sub; |
| 57 | + proxy_pass http://my_backend; # The backend site/app |
| 58 | + |
| 59 | + access_log /var/log/nginx/access.log main_jwt; |
| 60 | + } |
| 61 | +} |
| 62 | + |
| 63 | +# vim: syntax=nginx |
0 commit comments