|
1 | 1 | # Advanced configuration START |
2 | 2 | set $internal_error_message "NGINX / OpenID Connect login failure\n"; |
3 | 3 | set $pkce_id ""; |
| 4 | + set $idp_sid ""; |
4 | 5 | # resolver 8.8.8.8; # For DNS lookup of IdP endpoints; |
5 | 6 | subrequest_output_buffer_size 32k; # To fit a complete tokenset response |
6 | 7 | gunzip on; # Decompress IdP responses if necessary |
|
37 | 38 | # to construct the OpenID Connect token request, as per: |
38 | 39 | # http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest |
39 | 40 | internal; |
| 41 | + |
| 42 | + # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID) |
| 43 | + proxy_pass_request_headers off; |
| 44 | + |
40 | 45 | proxy_ssl_server_name on; # For SNI to the IdP |
41 | 46 | proxy_set_header Content-Type "application/x-www-form-urlencoded"; |
42 | 47 | proxy_set_header Authorization $arg_secret_basic; |
43 | 48 | proxy_pass $oidc_token_endpoint; |
44 | | - } |
| 49 | + } |
45 | 50 |
|
46 | 51 | location = /_refresh { |
47 | 52 | # This location is called by oidcAuth() when performing a token refresh. We |
48 | 53 | # use the proxy_ directives to construct the OpenID Connect token request, as per: |
49 | 54 | # https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken |
50 | 55 | internal; |
| 56 | + |
| 57 | + # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID) |
| 58 | + proxy_pass_request_headers off; |
| 59 | + |
51 | 60 | proxy_ssl_server_name on; # For SNI to the IdP |
52 | 61 | proxy_set_header Content-Type "application/x-www-form-urlencoded"; |
53 | 62 | proxy_set_header Authorization $arg_secret_basic; |
54 | 63 | proxy_pass $oidc_token_endpoint; |
55 | 64 | } |
56 | 65 |
|
57 | | - location = /_id_token_validation { |
| 66 | + location = /_token_validation { |
58 | 67 | # This location is called by oidcCodeExchange() and oidcRefreshRequest(). We use |
59 | 68 | # the auth_jwt_module to validate the OpenID Connect token response, as per: |
60 | 69 | # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation |
61 | 70 | internal; |
62 | 71 | auth_jwt "" token=$arg_token; |
63 | | - js_content oidc.validateIdToken; |
| 72 | + js_content oidc.extractTokenClaims; |
64 | 73 | error_page 500 502 504 @oidc_error; |
65 | 74 | } |
66 | 75 |
|
| 76 | + location = /front_channel_logout { |
| 77 | + status_zone "OIDC logout"; |
| 78 | + add_header Cache-Control "no-store"; |
| 79 | + default_type text/plain; |
| 80 | + js_content oidc.handleFrontChannelLogout; |
| 81 | + } |
| 82 | + |
67 | 83 | location = /logout { |
68 | 84 | status_zone "OIDC logout"; |
69 | 85 | add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; |
|
0 commit comments