oidc_nginx_http.conf

# -----------------------------------------------------------------------------#
#                                                                              #
#                  NGINX Configuration for OpenID Connect                      #
#                            (within http block)       |                       #
#                                                      |                       #
#         http {                                       |                       #
#               :                                      |                       #
#             +-----------------------------------+    |                       #
#             | include "oidc_nginx_http.conf";   | <--+                       #
#             +-----------------------------------+                            #
#               :                                                              #
#             server {                                                         #
#                 :                                                            #
#             }                                                                #
#               :                                                              #
#         }                                                                    #
#                                                                              #
# - This file is to configure NGINX related info to handle OIDC workflow.      #
# - Each map block allows multi values so that multiple IdPs can be supported. #
# - The $host variable is used as default input parameter but can be changed.  #
#                                                                              #
# ---------------------------------------------------------------------------- #

variables_hash_max_size    4096;

map $proto $oidc_cookie_flags {
    http  "Path=/; SameSite=lax;";                   # For HTTP/plaintext test
    https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}

map $http_x_forwarded_port $redirect_base {
    ""      $proto://$host:$server_port;
    default $proto://$host:$http_x_forwarded_port;
}

map $http_x_forwarded_proto $proto {
    ""      $scheme;
    default $http_x_forwarded_proto;
}

map $x_client_id $post_logout_return_uri {
    default $redirect_base;
}

map $x_client_id $return_token_to_client_on_login {
    # This is to return token as a query param to the app after successful login.
    # +------------+-----------------------------------------------------------+
    # | options    | example                                                   |
    # +------------+-----------------------------------------------------------+
    # | id_token   | http://my-nginx.example.com/login?id_token=sdfsdfdsfs     |
    # | none or "" | http://my-nginx.example.com  (no query param)             |
    # +------------+-----------------------------------------------------------+
    default "";
}

map $x_client_id $session_validation_enable {
    default 1; # 0: disable when testing APIs w/ session cookie on any client
}

map $x_client_id $session_id_time_enable {
    default 0; # 1: timestamp(hh:mm) is included in session ID
}

map $x_client_id $client_id_validation_enable {
    default 1; # 1: check if `client_id` is included in cookie when login
}

map $cookie_client_id $x_client_id {
    default $cookie_client_id;
}

# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in oidc_nginx_server.conf

# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

# Key/Value store for ID token, access token and refresh token.
# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M       state=/var/lib/nginx/state/oidc_id_tokens.json      timeout=1h;
keyval_zone zone=oidc_access_tokens:1M   state=/var/lib/nginx/state/oidc_access_tokens.json  timeout=1h;
keyval_zone zone=oidc_refresh_tokens:1M  state=/var/lib/nginx/state/oidc_refresh_tokens.json timeout=8h;

# Temporary storages.
keyval_zone zone=oidc_pkce:128K               timeout=90s; # for PKCE code verifier
keyval_zone zone=oidc_nonce_hash:128K         timeout=90s; # for NONCE
keyval_zone zone=oidc_token_query_params:128K timeout=90s; # for query params of token endpoint

keyval $cookie_session_id $id_token           zone=oidc_id_tokens;          # Exchange cookie for ID      token
keyval $cookie_session_id $access_token       zone=oidc_access_tokens;      # Exchange cookie for access  token
keyval $cookie_session_id $refresh_token      zone=oidc_refresh_tokens;     # Exchange cookie for refresh token
keyval $session_id        $new_id_token       zone=oidc_id_tokens;          # For initial session creation for ID token
keyval $session_id        $new_access_token   zone=oidc_access_tokens;      # For initial session creation for access token
keyval $session_id        $new_refresh        zone=oidc_refresh_tokens;     # For initial session creation for refresh token
keyval $session_id        $nonce_hash         zone=oidc_nonce_hash;         # For NONCE
keyval $session_id        $token_query_params zone=oidc_token_query_params; # for query params of token endpoint
keyval $pkce_id           $pkce_code_verifier zone=oidc_pkce;

auth_jwt_claim_set        $jwt_audience aud; # In case aud is an array
js_import oidc from conf.d/oidc.js;

# vim: syntax=nginx