Skip to content

feat: new endpoints(/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

feat: new endpoints(/login, /userinfo, /v2/logout) and a bundle OIDC simulation environment #57

wants to merge 3 commits into from

Conversation

@shawnhankim
Copy link
Contributor

@shawnhankim shawnhankim commented Nov 9, 2022
edited
Loading

Issue Item:

Background:

  • Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.
  • Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.
  • Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.
  • The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.

Description:

  • Added /userinfo endpoint:

    • Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
    • Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
    • The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token. 
      Authorization : Bearer <access_token>
    • The response coming from IdP should be returned back to the caller as it is.

  • Exposed /login endpoint:

    • Expose the /login endpoint as a location block here (openid_connect.server_conf)
    • Proxy it to existing IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
    • This would outsource the login function to IdP as its configured.

  • Exposed /v2/logout endpoint or enhance /logout endpoint:

    • Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .

    • Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.

    • Exposed endpoints of /v2/logout and /v2/_logout

      • /v2/logout: NGINX Plus calls IdP's end session endpoint ($oidc_end_session_endpoint) to finish the session by IdP.
      • /v2/_logout (Callback endpoint):
          1. Redirected by IdP when IdP successfully finished the session.
          1. NGINX Plus: Clear session cookies.
          1. NGINX Plus: Redirect to either the original landing page or the custom logout page by calling `$post_logout_return_uri.

    • FYI. We can just enhance endpoints of /logout and /_logout without adding new endpoints of /v2/logout and /v2/_out if this doesn't block the existing customer, and if they can update this reference implementation in their configuration:

      • As-Is: NJS implementation provides an example of clearing cookie, and show a simple logout message. So customers need to implement full business logic to interact with IdP's end session endpoint.
      • To-Be: Existing customers can either keep the legacy business logic or replace the reference implementation from /v2/logout & /v2/_logout to /logout and /_logout.

    • Capture logout endpoint (oidc_logout_endpoint of IDP in a map variable as same as authz and token endpoints here (openid_connect_configuration.conf).

  • Added a bundle SPA to simulate OIDC.

    • Provide a frontend application to easily simulate OIDC workflow.
      • Login button
      • Logout button
      • Call a proxied API button by adding a sample API endpoint to test an API resource using access token that is received by IDP.

    oidc-original-landing-page

    oidc-sample-proxied-api

  • Added a Docker container environment to locally simulate OIDC.
    make-watch

  • Added a doc of how to set up and locally test OIDC here.

Assumptions:

  • IdP is configured with $oidc_logout_redirect_uri at the time of creating the resource credentials along with /_codexch.
  • It is expected that NGINX Plus would always verify the token(s) validity and integrity before sending it to the client or backend.
  • Developers replace a bundle SPA with their app after making sure the OIDC setup/test work among a bundle SPA, NGINX Plus and IdP.
shawndotkim and others added 3 commits November 15, 2022 13:13
@shawndotkim @shawnhankim
feat: access token
fce421d 
fix: remove changelog to add it later fix: horizontal alignment
@shawndotkim @shawnhankim
feat: new endpoints and bundle OIDC simulation environment
2584375 
chore: agenda and getting started for README.md fix: typo fix: link for README.md fix: signout and sample API for README.md fix: comment for post logout and gitignore fix: space to horizontally aligh variables of key/value fix: README.md fix: image of make watch chore: add a node when Keycloak container isn't working feat: advanced example of proxy server chore: fix typo and add a note for two examples for reverse proxy configuration
@jputrino @shawnhankim
Edits to README complete
95e188c 
added doctoc for automatic toc creation broke getting started info out into new doc
@shawnhankim shawnhankim mentioned this pull request Nov 15, 2022
Closed
@shawnhankim
Copy link
Contributor Author

Per discussion with @route443 , I close this PR and have consolidated it into #62. The doc PR will be separately raised.
@route443 route443 mentioned this pull request Aug 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@shawnhankim @shawndotkim @jputrino