Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] docs: access token new endpoints(/login, /userinfo, /v2/logout) #16

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[WIP] docs: access token new endpoints(/login, /userinfo, /v2/logout) #16

wants to merge 3 commits into from

Conversation

shawnhankim
Copy link
Member

  • added doctoc for automatic toc creation
  • broke getting started info out into new doc

shawndotkim and others added 3 commits November 17, 2022 14:43
@shawndotkim @shawnhankim
feat: access token & new endpoints (/login, /userinfo, /v2/logout)
de4bab2 
**1. access token**

  - Enhance the NJS Code to capture the `access_token` sent by the IdP.

  - Store the `access_token` in the k/v store as same as we store `id_token` and `refresh_token`

**2. new endpoints**

  - Add `/userinfo` endpoint:
    - Add a map variable of `$oidc_userinfo_endpoint` as same as authz and token endpoints here (`openid_connect_configuration.conf`) .
    - Expose `/userinfo` endpoint here(`openid_connect.server_conf`) in a location block of NGINX Plus to interact with IdP's `userinfo_endpoint` which is defined in the endpoint of`well-known/openid-configuration`.
    - The nginx location block should proxy to the IdP’s `userinfo_endpoint` by adding `access_token` as a bearer token.
      ```
      Authorization : Bearer <access_token>
      ```
    - The response coming from IdP should be returned back to the caller as it is.

  - Expose `/login` endpoint:
    - Expose the `/login` endpoint as a location block here (`openid_connect.server_conf`)
    - Proxy it to the IdP's `authorization_endpoint` configured in the map variable of `$oidc_authz_endpoint` in (`openid_connect_configuration.conf`).
    - This would outsource the login function to IdP as its configured.

  - Expose `/v2/logout` endpoint:
    - Expose the `/v2/logout` endpoint as a location block here (`openid_connect.server_conf`)
    - Add a map variable of `$oidc_end_session_endpoint` as same as authz and token endpoints here (`openid_connect_configuration.conf`) .
    - Proxy it to the IdP's `end_session_endpoint` to finish the session by IdP.

  - Expose `/v2/_logout` endpoint:
    - Expose `/v2/_logout` endpoint which is a callback from IdP as a location block here (`openid_connect.server_conf`) to handle the following sequences.
      - 1. Redirected by IdP when IdP successfully finished the session.
      - 2. NGINX Plus: Clear session cookies.
      - 3. NGINX Plus: Redirect to either the original landing page or the custom logout page by calling
    - Add a map of `$post_logout_return_uri`: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of `$redirect_base`.

**3. add endpoints in `configure.sh`**

  - IdP's userinfo endpoint
  - IdP's end session endpoint
@shawnhankim
Merge pull request #14 from nginx-openid-connect/009-access-token-new…
d05e89d 
…-endpoints

feat: access token & new endpoints (/login, /userinfo, /v2/logout)
@jputrino @shawnhankim
Edits to README complete
bc81b15 
added doctoc for automatic toc creation
broke getting started info out into new doc
@shawnhankim shawnhankim force-pushed the 015-docs-access-token-new-endpoints branch from ddeeec0 to bc81b15 Compare November 17, 2022 23:25
@shawnhankim shawnhankim linked an issue Nov 17, 2022 that may be closed by this pull request
Docs: access token and new endpoints (/login, /userinfo, /v2/logout) #15
Open
@shawnhankim
Copy link
Member Author

After reviewing from here, this PR is going to be merged into the NGINX Plus repo via nginxinc#64.

  • @jputrino : I would appreciate it if you could feel free to squash the commit when you are ready to merge.
  • @route443 and @jputrino : I would appreciate it if you could review this doc PR when you get a chance.

pmoghef5
pmoghef5 approved these changes Nov 18, 2022
View reviewed changes
Copy link

@pmoghef5 pmoghef5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :)

@shawnhankim
Copy link
Member Author

Thanks @pmoghef5 !

@shawnhankim shawnhankim force-pushed the main branch 3 times, most recently from 983d5c9 to 6ad8ec6 Compare December 19, 2022 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmoghef5 pmoghef5 pmoghef5 approved these changes

@route443 route443 Awaiting requested review from route443

Assignees

@jputrino jputrino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docs: access token and new endpoints (/login, /userinfo, /v2/logout)
4 participants
@shawnhankim @pmoghef5 @jputrino @shawndotkim