Feat/7781 OIDC front channel logout #8340

javorszky · 2025-10-02T15:18:45Z

Proposed changes

Adapts the oidc reference implementation of the front channel logout for NIC.

updates the oidc javascript to what the current version is as of writing this PR (nginxinc/nginx-openid-connect@24d53f9)
adds the necessary route for front channel logout
modifies the virtualserver template so the idp_sid variable is present and keyvaled
adds snapshot test

I'm not able to add automated test for it however. CSP is preventing the front channel logout url being called from within an iframe on the keycloak logout page.

This might change pending review.

Manual testing steps

Installation / deployment

Requirements:

keycloak deployed
nginx-ingress deployed
two example apps deployed into separate virtualservers (and therefore separate domains)

Once those steps are, log into keycloak, create two confidential clients, which means the Client Authentication needs to be turned on:

Set the front channel logout to on, and turn the front channel session required on, and add the URL keycloak should use: https://client-domain/front_channel_logout. The path /front_channel_logout is hardcoded in the nginx settings in NIC.

Set this up for both of the clients, and grab the client secret for both of them. Using the client secrets, create two new k8s client secrets with the base64'd values for them, and apply those to the k8s cluster.

Then adjust the oidc policies for the clients (change the client names and client secret references and make sure that the realm and namespace is correct, especially paying attention to where you deployed keycloak), deploy those.

In keycloak also set up a regular user that you will use to log into the applications via keycloak.

Login / logout flow

Open the two different apps on their own domains in the same browser session making sure it's a separate browser session from where you are logged into keycloak with admin. By that I mean:

use the same browser (firefox-firefox or chrome-chrome or edge-edge)
use the same privacy settings, so don't open one normally, the other in a private tab / window, because they won't share session cookies. Two private tabs in the same browser will share session data between them
if you are logged into keycloak admin in one browser, use a different browser, or use the other privacy setting (ie if you're logged into keycloak admin in firefox normal, either use edge, or firefox privacy to log into keycloak). Basically you want to make sure that when the apps want to log into keycloak using OIDC, your admin session is not already there

Once you're logged into both applications with your user, go back to the keycloak admin in the other session context and look at the active sessions in keycloak:

Front channel logout terminates the session that you're logged in with.

Now normally you could go to either app's /logout URL, and it should log you out of every client that

has front channel logout set up, and
shares the same session

But if you actually do it in a modern browser, that's not going to happen. You briefly see that during the logout process keycloak's logout endpoint is getting called, then you're redirected back to the application that says "You're logged out" only to find that when you reload the page, you're logged in again.

This happens because:

keycloak should render the front channel logout iframes on the logout page, but
those do not get called because content-security-policy in browsers prevent an inframe request to go to a domain other than itself, or just wholesale prevent it, and
keycloak doesn't set the relevant content security policy headers so browsers would allow those requests to go through
which is why you don't see the incoming requests to /front_channel_logout anywhere in the nginx-ingress pod, or the application pods
and because you have an active session for the other application, and the oidc js polls active sessions
your terminated session for the first application gets restored very shortly

In order to veryify that it should be working, you need to open keycloak's realm logout url (rather than application logout url) and have it render the page, look in the source code, and find the iframes. If you deployed keycloak with host keycloak.example.com, the realm logout url is:

https://keycloak.example.com/realms/master/protocol/openid-connect/logout

On that page once it asks you if you want to log out and you click yes, you're taken to the logged out page.

What you'll notice in the network tab (if you had that open and set logs to be persisted) are two requests to the front channel logout urls for each clients that are blocked due to CSP:

And just to double check that the invisible iframes are there:

In order to see the list of clients, each client needs to have their name (not just their ID) set. Without the name the individual list items would look empty, because the only element would be the invisible iframes (display: none;).

At this point if you reload the applications you will note that they are logged out, but that's because the apps poll for session, and invalidates the local session cookie that way; they were not logged out because of the front channel logout.

You can grab the URL that the iframes wanted to visit and call that, it will succeed, but at that point it's no longer important because the applications have been logged out.

What could be done

CSP headers should be set to allow requests to the client. In keycloak's case, and the example deployment here the extra header should be:

Content-Security-Policy: "default-src 'self'; frame-src 'self' example.com";

I can't get this working with http-snippets for the virtualserver for the idp.

Gotchas

front channel logout doesn't work usually due to content security policy, unless you can get the idp to send a Content-Security-Policy header that permits the browser to make the GET requests in the iframes. By default they won't do it. The OIDC Front Channel Logout spec knows about this in point 4.1: https://openid.net/specs/openid-connect-frontchannel-1_0.html#ThirdPartyContent. Their recommendation is to use back channel logout
when the spec says "The OP renders <iframe src="frontchannel_logout_uri"> in a page with the registered logout URI as the source to trigger the logout actions by the RP.", it means that the iframes for the clients render on the OP (OpenID Provider) logout page, in this case keycloak. During the logout flow from any one application, one of the redirects is to the OP's (keycloak's) logout page
because NIC's implementation of the OIDC, the applications poll anyways, which means if the session is terminated on the OP's side (in keycloak) without also terminating it on the application's domain, the application will pick up the fact that they have been logged out and will restart the authentication flow
front channel logout will log out of the same session, not for all sessions for a given user, which is why you need to remain in the same browser

Checklist

Before creating a PR, run through this checklist and mark each as complete.

I have read the CONTRIBUTING doc
I have added tests that prove my fix is effective or that my feature works
I have checked that all unit tests pass after adding my changes
I have updated necessary documentation
I have rebased my branch onto main
I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

codecov · 2025-10-02T15:23:44Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.34%. Comparing base (223bc06) to head (786b792).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8340   +/-   ##
=======================================
  Coverage   53.34%   53.34%           
=======================================
  Files          91       91           
  Lines       22379    22379           
=======================================
  Hits        11937    11937           
  Misses       9934     9934           
  Partials      508      508

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

internal/configs/version2/nginx-plus.virtualserver.tmpl

github-actions · 2025-10-02T15:39:20Z

Package Report

gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx, 1.29.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx, 1.29.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-appprotect, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-attack-signatures, 2025.09.30-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-threat-campaigns, 2025.09.29-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 2.43.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-appprotect, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-module-plus, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-plugin, 6.20.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 2.43.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-appprotect, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect, 35+5.498.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-attack-signatures, 2025.09.30-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-threat-campaigns, 2025.09.29-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03, nginx-agent, 2.43.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx, 1.29.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx, 1.29.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-agent, 2.43.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-appprotect, 35.5.498.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, app-protect, 35.5.498.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, app-protect-attack-signatures, 2025.09.30-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, app-protect-threat-campaigns, 2025.09.29-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-agent, 2.43.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, nginx-plus-module-appprotect, 35.5.498.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, app-protect-module-plus, 35.5.498.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-alpine-fips, app-protect-plugin, 6.20.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx, 1.29.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx, 1.29.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 2.43.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-appprotect, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-attack-signatures, 2025.09.30-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-threat-campaigns, 2025.09.29-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 2.43.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-appprotect, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-module-plus, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-plugin, 6.20.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-agent, 2.43.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-appprotect, 35+5.498.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, app-protect, 35+5.498.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, app-protect-attack-signatures, 2025.09.30-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, app-protect-threat-campaigns, 2025.09.29-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-agent, 2.43.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, nginx-plus-module-appprotect, 35+5.498.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, app-protect-module-plus, 35+5.498.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi8, app-protect-plugin, 6.20.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-appprotect, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, nginx-agent, 2.43.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect, 35+5.498.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-attack-signatures, 2025.09.30-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-threat-campaigns, 2025.09.29-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-23ed9c6869ab326b8e5c881a1eab5d03-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64

Copilot

Pull Request Overview

This PR implements OpenID Connect Front-Channel Logout functionality for NIC by adapting the NGINX reference implementation. It adds support for IdPs to initiate logout across multiple client applications sharing the same session.

Updates the OIDC JavaScript implementation to the latest version with enhanced error handling and front-channel logout support
Adds the /front_channel_logout endpoint and session ID mapping infrastructure
Updates Keycloak test configuration to version 26.4 with new authentication environment variables

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/configs/oidc/openid_connect.js	Updates OIDC JavaScript to latest version with front-channel logout handler and improved error handling
internal/configs/oidc/oidc.conf	Adds front-channel logout endpoint configuration
internal/configs/oidc/oidc_common.conf	Adds keyval zone for session ID mapping
internal/configs/version2/nginx-plus.virtualserver.tmpl	Adds session ID keyval mapping for OIDC configurations
tests/data/common/app/keycloak/app.yaml	Updates Keycloak to version 26.4 with new environment variables
tests/suite/test_oidc.py	Removes unused keycloak_src variable
internal/configs/version2/snapshots/templates_test.snap	Updates snapshot test for new keyval configuration

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

javorszky requested a review from a team as a code owner October 2, 2025 15:18

github-actions bot added enhancement Pull requests for new features/feature enhancements python Pull requests that update Python code labels Oct 2, 2025

pdabelf5 reviewed Oct 2, 2025

View reviewed changes

internal/configs/version2/nginx-plus.virtualserver.tmpl Show resolved Hide resolved

danielnginx requested a review from Copilot October 3, 2025 09:35

Copilot AI reviewed Oct 3, 2025

View reviewed changes

javorszky added 8 commits October 3, 2025 13:59

Update the openid-connect.js to current latest version

232dc08

Update pytest keycloak from 25.0.2 to 26.3

d6a2cc2

Remove unused variable from test_oidc.py

85a6cc6

Add front channel logout configs to oidc conf

566777f

Move the idp sid keyval into virtualserver template

a382df0

Update keycloak image version and env vars

f207226

Fix virtualserver template and snaps

9534217

Keycloak 26.4 uses button type submit

26e2c26

javorszky force-pushed the feat/7781-oidc-front-channel-logout branch from 44acccb to 26e2c26 Compare October 3, 2025 12:59

pdabelf5 approved these changes Oct 3, 2025

View reviewed changes

AlexFenlon approved these changes Oct 3, 2025

View reviewed changes

Merge branch 'main' into feat/7781-oidc-front-channel-logout

786b792

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Feat/7781 OIDC front channel logout #8340

Feat/7781 OIDC front channel logout #8340

Uh oh!

javorszky commented Oct 2, 2025 •

edited

Loading

Uh oh!

codecov bot commented Oct 2, 2025 •

edited

Loading

Uh oh!

Uh oh!

github-actions bot commented Oct 2, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Feat/7781 OIDC front channel logout #8340

Are you sure you want to change the base?

Feat/7781 OIDC front channel logout #8340

Uh oh!

Conversation

javorszky commented Oct 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed changes

Manual testing steps

Installation / deployment

Login / logout flow

What could be done

Gotchas

Checklist

Uh oh!

codecov bot commented Oct 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

github-actions bot commented Oct 2, 2025

Package Report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

javorszky commented Oct 2, 2025 •

edited

Loading

codecov bot commented Oct 2, 2025 •

edited

Loading