forked from nginxinc/nginx-openid-connect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
frontend.conf
52 lines (41 loc) · 2.07 KB
/
frontend.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# This is the backend application we are protecting with OpenID Connect
upstream my_backend {
zone my_backend 64k;
server 10.0.0.1:80;
}
# Subrequest size should be enough to handle the JWT payload
subrequest_output_buffer_size 8k;
# Custom log format to include the 'sub' claim in the REMOTE_USER field
log_format main_jwt '$remote_addr $jwt_claim_sub $remote_user [$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
# nginScript functions for code exchange and hashing for secure nonce validation
js_include conf.d/openid_connect.js;
js_set $requestid_hash hashRequestId;
js_set $auth_token getAuthToken;
# The frontend server - reverse proxy with OpenID Connect authentication
#
server {
include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
# OpenID Connect Provider (IdP) configuration
set $oidc_jwt_keyfile /etc/nginx/my_idp_jwk.json;
set $oidc_authz_endpoint "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth";
set $oidc_token_endpoint "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token";
set $oidc_client "my-client-id";
set $oidc_client_secret "my-client-secret";
set $oidc_token_type "id_token"; # Session token (access_token or id_token)
set $oidc_hmac_key "ChangeMe"; # This should be unique for every NGINX instance/cluster
listen 8010; # Use SSL/TLS in production
location / {
# This site is protected with OpenID Connect
auth_jwt "" token=$cookie_auth_token;
auth_jwt_key_file $oidc_jwt_keyfile;
# Absent/invalid OpenID Connect token will (re)start auth process
error_page 401 @oidc_auth;
# Successfully authenticated users are proxied to the backend,
# with 'sub' claim passed as HTTP header
proxy_set_header username $jwt_claim_sub;
proxy_pass http://my_backend; # The backend site/app
access_log /var/log/nginx/access.log main_jwt;
}
}
# vim: syntax=nginx