Skip to content

feat: new endpoints(/login, /userinfo, /v2/logout) #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

feat: new endpoints(/login, /userinfo, /v2/logout) #11

wants to merge 3 commits into from

Conversation

shawnhankim
Copy link
Member

Issue Item:

Background:

  • Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.
  • Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.
  • Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.
  • The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.

Description:

  • Added /userinfo endpoint:

    • Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
    • Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
    • The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token. 
      Authorization : Bearer <access_token>
    • The response coming from IdP should be returned back to the caller as it is.

  • Exposed /login endpoint:

    • Expose the /login endpoint as a location block here (openid_connect.server_conf)
    • Proxy it to existing IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
    • This would outsource the login function to IdP as its configured.

  • Exposed /v2/logout endpoint or enhance /logout endpoint:

    • Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .

    • Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.

    • Exposed endpoints of /v2/logout and /v2/_logout

      • /v2/logout: NGINX Plus calls IdP's end session endpoint ($oidc_end_session_endpoint) to finish the session by IdP.
      • /v2/_logout (Callback endpoint):
          1. Redirected by IdP when IdP successfully finished the session.
          1. NGINX Plus: Clear session cookies.
          1. NGINX Plus: Redirect to either the original landing page or the custom logout page by calling `$post_logout_return_uri.

    • FYI. We can just enhance endpoints of /logout and /_logout without adding new endpoints of /v2/logout and /v2/_out if this doesn't block the existing customer, and if they can update this reference implementation in their configuration:

      • As-Is: NJS implementation provides an example of clearing cookie, and show a simple logout message. So customers need to implement full business logic to interact with IdP's end session endpoint.
      • To-Be: Existing customers can either keep the legacy business logic or replace the reference implementation from /v2/logout & /v2/_logout to /logout and /_logout.

    • Capture logout endpoint (oidc_logout_endpoint of IDP in a map variable as same as authz and token endpoints here (openid_connect_configuration.conf).

  • Splitted an example of quick start guide from this repo to an external repo to avoid confusion here:

Assumptions:

  • IdP is configured with $oidc_logout_redirect_uri at the time of creating the resource credentials along with /_codexch.
  • It is expected that NGINX Plus would always verify the token(s) validity and integrity before sending it to the client or backend.

shawndotkim and others added 3 commits November 15, 2022 13:16
@shawndotkim @shawnhankim
feat: new endpoints and bundle OIDC simulation environment
2584375 
chore: agenda and getting started for README.md

fix: typo

fix: link for README.md

fix: signout and sample API for README.md

fix: comment for post logout and gitignore

fix: space to horizontally aligh variables of key/value

fix: README.md

fix: image of make watch

chore: add a node when Keycloak container isn't working

feat: advanced example of proxy server

chore: fix typo and add a note for two examples for reverse proxy configuration
@jputrino @shawnhankim
Edits to README complete
95e188c 
added doctoc for automatic toc creation
broke getting started info out into new doc
@shawndotkim @shawnhankim
chore: split quick start guide into the repo of nginx-oidc-examples
ef78456 
chore: move quick start guide into the repo of nginx-oidc-examples

fix: remove unused files

chore: example link of frontend and backend

fix: back to the original example of configuration

fix: back to the original default vaule of pkce_enable
@shawnhankim shawnhankim self-assigned this Nov 15, 2022
@shawnhankim shawnhankim linked an issue Nov 15, 2022 that may be closed by this pull request
Add endpoints (/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment #5
Closed
@shawnhankim
Copy link
Member Author

Thanks @route443 and @jputrino !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@shawnhankim shawnhankim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add endpoints (/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment
3 participants
@shawnhankim @shawndotkim @jputrino