Skip to content

Capture access_token from IdP to forward it to the upstream service #4

Closed
@shawnhankim

Description

@shawnhankim
Member

Background:

  • Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.

  • Token Recommandation

    When Using Do Don't
    ID Token - Assume the user is authenticated - Call an API
    - Get user profile data - Check if the client is allowed to access something.
    Access Token - Call an API - Inspect its content on the client
    - Check if the client is allowed to access something
    - Inspect its content on the server side

    courtesy: ID Token and Access Token: What's the Difference?

Acceptance Criteria:

  • Enhance the NJS Code to capture the access_token sent by the IdP.
  • Store the access_token in the k/v store as same as we store id_token and refresh_token

Compatibility:

  • This issue will not block the existing features as there would be no change of variables, and this is just to add features.

Activity

shawnhankim

shawnhankim commented on Nov 1, 2022

@shawnhankim
MemberAuthor

Task Steps:

changed the title [-]Capture access_token from IDP and forward it to the upstream service[/-] [+]Capture access_token from IdP and forward it to the upstream service[/+] on Nov 1, 2022
self-assigned this
on Nov 1, 2022
shawnhankim

shawnhankim commented on Nov 6, 2022

@shawnhankim
MemberAuthor

Out of scopes:

  • Validate the access_token as you do to validate the id_token
  • Create session cookie after you store the token(s) in the K/V store and send it back to the client App
  • Upon the session cookie is presented back to the NGINX Plus, verify the session is present in K/V store and verify both token(s) are still valid.
  • Upon successful validation of token(s); NGINX Plus proxy the access_token to the backend service in Authorization header:
    Authorization : Bearer <access_token> 
    

Assumptions:

  • IdP is expected to give access_token as JWT and opaque token is not supported for now.
  • It is expected that NGINX Plus would always verify the token(s) validity and integrity before sending it to the client or backend.

Misc.:

  • The above scopes will be separately enhanced in the other PR.
changed the title [-]Capture access_token from IdP and forward it to the upstream service[/-] [+]Capture access_token from IdP to forward it to the upstream service[/+] on Nov 9, 2022
linked a pull request that will close this issuefeat: capture access token from IdP #7on Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @shawnhankim

    Issue actions

      Capture access_token from IdP to forward it to the upstream service · Issue #4 · nginx-openid-connect/nginx-oidc-core-v1