Skip to content

Update template for custom redirect URI #7853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 4, 2025
Merged

Update template for custom redirect URI #7853

merged 8 commits into from
Jun 4, 2025

Conversation

@vepatel
Copy link
Contributor

@vepatel vepatel commented May 29, 2025
edited
Loading

Proposed changes

Policy:

Spec: Oidc: Access Token Enable: true Auth Endpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/auth Client ID: nginx-plus Client Secret: oidc-secret End Session Endpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/logout Jwks URI: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs Redirect URI: /_test Scope: openid+profile+email Token Endpoint: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token Status: Message: Policy default/oidc-policy was added or updated Reason: AddedOrUpdated State: Valid

nginx conf:

server { listen 80; listen [::]:80; server_name webapp.example.com; status_zone webapp.example.com; set $resource_type "virtualserver"; set $resource_name "webapp"; set $resource_namespace "default"; include oidc/oidc.conf; set $oidc_pkce_enable 0; set $oidc_logout_redirect "/_logout"; set $oidc_hmac_key "webapp"; set $zone_sync_leeway 200; set $oidc_authz_endpoint "https://keycloak.example.com/realms/master/protocol/openid-connect/auth"; set $oidc_authz_extra_args ""; set $oidc_token_endpoint "http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token"; set $oidc_end_session_endpoint "https://keycloak.example.com/realms/master/protocol/openid-connect/logout"; set $oidc_jwt_keyfile "http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs"; set $oidc_scopes "openid+profile+email"; set $oidc_client "nginx-plus"; set $oidc_client_secret "<SECRET>"; set $redir_location "/_test"; # Custom OIDC redirect location based on policy redirectURI location = /_test { status_zone "OIDC code exchange"; js_content oidc.codeExchange; error_page 500 502 504 @oidc_error; } listen 443 ssl; listen [::]:443 ssl; ssl_certificate $secret_dir_path/default-tls-secret; ssl_certificate_key $secret_dir_path/default-tls-secret; if ($scheme = 'http') { return 301 https://$host$request_uri; } server_tokens "on"; location / { set $service "webapp-svc"; status_zone "webapp-svc"; auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; auth_jwt_key_request /_jwks_uri;proxy_set_header username $jwt_claim_sub; proxy_set_header Authorization "Bearer $access_token"; set $default_connection_header close; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_buffering on; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $vs_connection_header; proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host "$host"; proxy_pass http://vs_default_webapp_webapp; proxy_next_upstream error timeout; proxy_next_upstream_timeout 0s; proxy_next_upstream_tries 0; } }

Screenshot 2025-05-29 at 16 45 31

https://keycloak.example.com/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email&client_id=nginx-plus&redirect_uri=https://webapp.example.com:443/_test

Screenshot 2025-05-29 at 16 46 18

Screenshot 2025-05-29 at 16 47 28

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork
@vepatel
Update with custom redirect URI
1d52f71 
Signed-off-by: Venktesh Shivam Patel <ve.patel@f5.com>
@vepatel vepatel requested a review from a team as a code owner May 29, 2025 15:48
@github-actions github-actions bot added the bug An issue reporting a potential bug label May 29, 2025
@codecov
Copy link

codecov bot commented May 29, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.47%. Comparing base (552f353) to head (e68be13).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@ Coverage Diff @@ ## main #7853 +/- ## ======================================= Coverage 52.47% 52.47% ======================================= Files 90 90 Lines 21550 21550 ======================================= Hits 11308 11308 Misses 9773 9773 Partials 469 469

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
@github-actions github-actions bot added the go Pull requests that update Go code label May 29, 2025
@vepatel vepatel requested a review from pdabelf5 May 30, 2025 11:32
@vepatel vepatel merged commit 2c08bea into main Jun 4, 2025
84 checks passed
@vepatel vepatel deleted the fix/oidc-redirect branch June 4, 2025 09:41
@AlexFenlon AlexFenlon removed the go Pull requests that update Go code label Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug An issue reporting a potential bug

4 participants

@vepatel @AlexFenlon @pdabelf5