feat: access token in NGINX OIDC RP reference implementation

- refactored auth() - refactored codeExchange()
nginxinc · shawnhankim · Aug 29, 2021 · Aug 29, 2021 · Aug 29, 2021 · Sep 1, 2021
commit 772ecdf9f9b487cb407e96b8f8b02a664c55e5dd
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+*.crt
+*.key
diff --git a/examples/01-access-token/Dockerfile b/examples/01-access-token/Dockerfile
@@ -0,0 +1,89 @@
+FROM debian:buster-slim
+LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
+
+# Define NGINX versions for NGINX Plus and NGINX Plus modules
+# Uncomment this block and the versioned nginxPackages block in the main RUN
+# instruction to install a specific release
+ENV NGINX_VERSION 24
+ENV NJS_VERSION 0.6.1
+ENV PKG_RELEASE 1~buster
+
+# Download certificate and key from the customer portal (https://cs.nginx.com)
+# and copy to the build context
+COPY nginx-repo.crt /etc/ssl/nginx/
+COPY nginx-repo.key /etc/ssl/nginx/
+
+RUN set -x \
+# Create nginx user/group first, to be consistent throughout Docker variants
+ && addgroup --system --gid 101 nginx \
+ && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
+ && apt-get update \
+ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 \
+ && \
+ NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+ found=''; \
+ for server in \
+ ha.pool.sks-keyservers.net \
+ hkp://keyserver.ubuntu.com:80 \
+ hkp://p80.pool.sks-keyservers.net:80 \
+ pgp.mit.edu \
+ ; do \
+ echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+ apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+ done; \
+ test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
+# Install the latest release of NGINX Plus and/or NGINX Plus modules
+# Uncomment individual modules if necessary
+# Use versioned packages over defaults to specify a release
+ && nginxPackages=" \
+ nginx-plus \
+ # nginx-plus=${NGINX_VERSION}-${PKG_RELEASE} \
+ # nginx-plus-module-xslt \
+ # nginx-plus-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
+ # nginx-plus-module-geoip \
+ # nginx-plus-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
+ # nginx-plus-module-image-filter \
+ # nginx-plus-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
+ # nginx-plus-module-perl \
+ # nginx-plus-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
+ # nginx-plus-module-njs \
+ nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
+ iputils-ping \
+ vim \
+ net-tools \
+ " \
+ && echo "Acquire::https::plus-pkgs.nginx.com::Verify-Peer \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+ && echo "Acquire::https::plus-pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+ && echo "Acquire::https::plus-pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
+ && echo "Acquire::https::plus-pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
+ && printf "deb https://plus-pkgs.nginx.com/debian buster nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
+ && apt-get update \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ $nginxPackages \
+ gettext-base \
+ curl \
+ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
+ && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx
+
+# Forward request logs to Docker log collector
+RUN ln -sf /dev/stdout /var/log/nginx/access.log \
+ && ln -sf /dev/stderr /var/log/nginx/error.log \
+ && mkdir -p /etc/controller-agent/configurator/auxfiles
+
+RUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
+COPY content /usr/share/nginx/html
+COPY conf /etc/nginx
+COPY auxfiles /etc/controller-agent/configurator/auxfiles
+VOLUME /usr/share/nginx/html
+VOLUME /etc/nginx
+
+RUN chmod -R 777 /etc/nginx
+RUN chmod -R 777 /etc/nginx/conf.d
+
+EXPOSE 80
+EXPOSE 443
+EXPOSE 8090
+
+STOPSIGNAL SIGTERM
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/examples/01-access-token/README.md b/examples/01-access-token/README.md
@@ -0,0 +1,52 @@
+# NGINX OpenID Connect - Access Token
+
+Reference implementation of NGINX Plus as relying party for OpenID Connect authentication with access token.
+
+## Creating a Docker Image of NGINX Plus
+- Create a [Dockerfile](./Dockerfile).
+- Download your version of the nginx-repo.crt and nginx-repo.key files via the [customer portal](https://cs.nginx.com/?_ga=2.268586425.912746048.1620625839-85838359.1596947109).
+
+## Create Docker Network
+- Create a user-defined bridge network:
+ ```bash
+ $ docker network create my-net
+ ```
+
+## Start IDP such as Keycloak
+- From a terminal start Keycloak with the following command:
+ ```bash
+ $ docker run --name my-idp --network my-net \
+ -p 8080:8080 \
+ -e KEYCLOAK_USER=admin \
+ -e KEYCLOAK_PASSWORD=admin \
+ -d jboss/keycloak
+ ```
+
+- Execute the following command if you want to stop and remove the container:
+ ```bash
+ $ docker stop my-idp; docker rm my-idp
+ ```
+
+## Creating Docker Image for NGINX Plus w/ OIDC
+- Create a Docker image called `nginxoidc`:
+ ```bash
+ $ docker build --no-cache -t nginxoidc .
+ ```
+
+- Create a container named my-apigw based on this image:
+ ```bash
+ $ docker run --name my-apigw --network my-net \
+ -p 443:443 -p 8090:8090 \
+ --link my-idp:my-idp \
+ -d nginxoidc
+ ```
+
+- Execute the following command if you want to stop and remove the container:
+ ```bash
+ $ docker stop my-apigw; docker rm my-apigw
+ ```
+
+## Reference
+- [NGINX OpenID Connect](https://github.com/shawnhankim/nginx-openid-connect)
+- [Keycloak on Docker](https://www.keycloak.org/getting-started/getting-started-docker)
+- [Enabling Single Sign-On for Proxied Applications](https://docs.nginx.com/nginx/deployment-guides/single-sign-on/)
diff --git a/examples/01-access-token/conf/conf.d/default.conf b/examples/01-access-token/conf/conf.d/default.conf
@@ -0,0 +1,42 @@
+server {
+ listen 9090;
+ server_name localhost;
+
+ location /v1/api/one {
+ default_type application/json;
+ return 200 '{"code": "1", "message": "This is for testing /v1/api/one"}';
+ }
+ location /v1/api/two {
+ default_type application/json;
+ return 200 '{"code": "2", "message": "This is for testing /v1/api/two"}';
+ }
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name localhost;
+ status_zone localhost;
+
+ location / {
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+ }
+
+ location /v1/api/one {
+ status_zone localhost_api_one;
+ proxy_pass http://localhost:9090/v1/api/one;
+ }
+
+ location /v1/api/two {
+ status_zone localhost_api_two;
+ proxy_pass http://localhost:9090/v1/api/two;
+ }
+
+ # redirect server error pages to the static page /50x.html
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+}
+
diff --git a/examples/01-access-token/conf/conf.d/frontend.conf b/examples/01-access-token/conf/conf.d/frontend.conf
@@ -0,0 +1,81 @@
+# This is the backend application we are protecting with OpenID Connect
+upstream my_backend {
+ zone my_backend 64k;
+ server 10.0.0.1:80;
+}
+
+# Custom log format to include the 'sub' claim in the REMOTE_USER field
+log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $status '
+ '$body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+
+# The frontend server - reverse proxy with OpenID Connect authentication
+#
+server {
+ include conf.d/oidc_server.conf; # Authorization code flow and Relying Party processing
+ error_log /var/log/nginx/error.log debug; # Reduce severity level as required
+ access_log /var/log/nginx/access.log main;
+
+ server_name mynginxoidc.keycloak;
+ listen 443 ssl;
+
+ ssl_certificate /etc/controller-agent/configurator/auxfiles/mysample.crt;
+ ssl_certificate_key /etc/controller-agent/configurator/auxfiles/mysample.key;
+ ssl_session_cache off;
+ ssl_prefer_server_ciphers off;
+
+ location / {
+ # This site is protected with OpenID Connect
+ auth_jwt "" token=$session_jwt;
+ error_page 401 = @do_oidc_flow;
+
+ #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+ auth_jwt_key_request /_jwks_uri; # Enable when using URL
+
+ # Successfully authenticated users are proxied to the backend,
+ # with 'sub' claim passed as HTTP header
+ proxy_set_header username $jwt_claim_sub;
+ # proxy_pass http://my_backend; # The backend site/app
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+
+ access_log /var/log/nginx/access.log main_jwt;
+ }
+}
+
+
+server {
+ include conf.d/oidc_server.conf; # Authorization code flow and Relying Party processing
+ error_log /var/log/nginx/error.log debug; # Reduce severity level as required
+ access_log /var/log/nginx/access.log main;
+
+ server_name mynginxoidc.aws;
+ listen 443 ssl; # Use SSL/TLS in production
+ ssl_certificate /etc/controller-agent/configurator/auxfiles/mysample.crt;
+ ssl_certificate_key /etc/controller-agent/configurator/auxfiles/mysample.key;
+ ssl_session_cache off;
+ ssl_prefer_server_ciphers off;
+
+ location / {
+ # This site is protected with OpenID Connect
+ auth_jwt "" token=$session_jwt;
+ error_page 401 = @do_oidc_flow;
+
+ #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+ auth_jwt_key_request /_jwks_uri; # Enable when using URL
+
+ # Successfully authenticated users are proxied to the backend,
+ # with 'sub' claim passed as HTTP header
+ proxy_set_header username $jwt_claim_sub;
+ # proxy_pass http://my_backend; # The backend site/app
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+
+ add_header X-Sub $jwt_claim_sub;
+ add_header X-Email $jwt_claim_email;
+ add_header X-ID-Token $session_jwt;
+ add_header X-Access-Token $access_token;
+ access_log /var/log/nginx/access.log main_jwt;
+ }
+}
+
+# vim: syntax=nginx