Closed
Description
Background:
-
Current NJS implementation disregard the
access_token
that is being sent by the IdP and only uses theid_token
to get stored in the NGINX Plus K/V store. -
Token Recommandation
When Using Do Don't ID Token - Assume the user is authenticated - Call an API - Get user profile data - Check if the client is allowed to access something. Access Token - Call an API - Inspect its content on the client - Check if the client is allowed to access something - Inspect its content on the server side
Acceptance Criteria:
- Enhance the NJS Code to capture the
access_token
sent by the IdP. - Store the
access_token
in the k/v store as same as we storeid_token
andrefresh_token
Compatibility:
- This issue will not block the existing features as there would be no change of variables, and this is just to add features.
Metadata
Metadata
Assignees
Labels
No labels
Activity
shawnhankim commentedon Nov 1, 2022
Task Steps:
[-]Capture access_token from IDP and forward it to the upstream service[/-][+]Capture access_token from IdP and forward it to the upstream service[/+]shawnhankim commentedon Nov 6, 2022
Out of scopes:
access_token
as you do to validate theid_token
session cookie
after you store the token(s) in the K/V store and send it back to the client Appsession cookie
is presented back to the NGINX Plus, verify the session is present in K/V store and verify both token(s) are still valid.access_token
to the backend service in Authorization header:Assumptions:
access_token
as JWT and opaque token is not supported for now.Misc.:
[-]Capture access_token from IdP and forward it to the upstream service[/-][+]Capture access_token from IdP to forward it to the upstream service[/+]