Skip to content

Enable TLS certificate verification for OIDC IdP upstream connections. #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 13, 2025
Merged

Enable TLS certificate verification for OIDC IdP upstream connections. #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,8 @@ Manual configuration involves reviewing the following files so that they match y
* No changes are usually required here
* Modify the `resolver` directive to match a DNS server that is capable of resolving the IdP defined in `$oidc_token_endpoint` and `$oidc_end_session_endpoint`
* If using [`auth_jwt_key_request`](http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html#auth_jwt_key_request) to automatically fetch the JWK file from the IdP then modify the validity period and other caching options to suit your IdP
* TLS certificate verification for all IdP-bound requests (token, refresh, JWKS) is enabled by default. NGINX Plus uses the system CA bundle at `/etc/ssl/certs/ca-certificates.crt` (via [`proxy_ssl_trusted_certificate`](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate)) to validate the IdP’s TLS certificate. If the IdP’s certificate is signed by a private or custom CA, append that CA to this bundle or update the `proxy_ssl_trusted_certificate` path accordingly.
* The [`proxy_ssl_verify_depth`](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify_depth) directive is set to **2** by default, allowing one intermediate CA in the chain. This is sufficient for most public IdPs.

* **openid_connect.js** - this is the JavaScript code for performing the authorization code exchange and nonce hashing
* No changes are required unless modifying the code exchange or validation process
Expand Down Expand Up @@ -320,3 +322,4 @@ This reference implementation for OpenID Connect is supported for NGINX Plus sub
* **R28** Access token support. Added support for access token to authorize NGINX to access protected backend.
* **R32** Added support for `client_secret_basic` client authentication method.
* **R33** Refactor code to use async/await. Implement Front-Channel Logout endpoint.
* **R36** Enable TLS certificate verification for all IdP-bound requests by default.
19 changes: 16 additions & 3 deletions openid_connect.server_conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,12 @@
proxy_cache jwk; # Cache the JWK Set received from IdP
proxy_cache_valid 200 12h; # How long to consider keys "fresh"
proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
proxy_ssl_server_name on; # For SNI to the IdP

proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle

proxy_method GET; # In case client request was non-GET
proxy_set_header Content-Length ""; # ''
proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here
Expand Down Expand Up @@ -43,7 +48,11 @@
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;

proxy_ssl_server_name on; # For SNI to the IdP
proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle

proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
Expand All @@ -58,7 +67,11 @@
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;

proxy_ssl_server_name on; # For SNI to the IdP
proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle

proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
Expand Down