Module ngx_http_oidc_module
The ngx_http_oidc_module
module (1.27.4)
implements authentication as a Relying Party in OpenID Connect using the
Authorization Code Flow.
The module expects the OpenID Provider's configuration to be available via metadata and requires dynamic resolver.
The module can be combined with other access modules
via the satisfy directive.
Note that the module may still block requests even with
satisfy any;
as an OpenID Provider might not redirect the user back to nginx.
This module is available as part of our commercial subscription.
Example Configuration
http { resolver 10.0.0.1; oidc_provider my_idp { issuer "https://provider.domain"; client_id "unique_id"; client_secret "unique_secret"; } server { location / { auth_oidc my_idp; proxy_set_header username $oidc_claim_sub; proxy_pass http://backend; } } }
The example assumes that the
“https://<nginx-host>/oidc_callback
”
Redirection URI is configured on the OpenID Provider's side.
The path can be customized with the redirect_uri directive.
Directives
Syntax: |
oidc_provider |
---|---|
Default: | — |
Context: |
http |
Defines an OpenID Provider for use with the auth_oidc directive.
Syntax: |
auth_oidc |
---|---|
Default: |
auth_oidc off; |
Context: |
http , server , location |
Enables end user authentication with the specified OpenID Provider.
The special value off
cancels the effect
of the auth_oidc
directive
inherited from the previous configuration level.
Syntax: |
issuer |
---|---|
Default: | — |
Context: |
oidc_provider |
Sets the Issuer Identifier URL of the OpenID Provider;
required directive.
The URL must exactly match the value of “issuer
”
in the OpenID Provider metadata
and requires the “https
” scheme.
Syntax: |
client_id |
---|---|
Default: | — |
Context: |
oidc_provider |
Specifies the client ID of the Relying Party; required directive.
Syntax: |
client_secret |
---|---|
Default: | — |
Context: |
oidc_provider |
Specifies a secret value used to authenticate the Relying Party with the OpenID Provider.
Syntax: |
config_url |
---|---|
Default: |
config_url <issuer>/.well-known/openid-configuration; |
Context: |
oidc_provider |
Sets a custom URL to retrieve the OpenID Provider metadata.
Syntax: |
cookie_name |
---|---|
Default: |
cookie_name NGX_OIDC_SESSION; |
Context: |
oidc_provider |
Sets the name of a session cookie.
Syntax: |
extra_auth_args |
---|---|
Default: | — |
Context: |
oidc_provider |
Sets additional query arguments for the authentication request URL.
extra_auth_args "display=page&prompt=login";
Syntax: |
redirect_uri |
---|---|
Default: |
redirect_uri /oidc_callback; |
Context: |
oidc_provider |
Defines the Redirection URI path for post-authentication redirects
expected by the module from the OpenID Provider.
The uri
must match the configuration on the Provider's side.
Syntax: |
scope |
---|---|
Default: |
scope openid; |
Context: |
oidc_provider |
Sets requested scopes.
The openid
scope is always required by OIDC.
Syntax: |
session_store |
---|---|
Default: | — |
Context: |
oidc_provider |
Specifies a custom
key-value database
that stores session data.
By default, an 8-megabyte key-value database named
oidc_default_store_<provider name>
is created automatically.
A separate key-value database should be configured for each Provider to prevent session reuse across providers.
Syntax: |
session_timeout |
---|---|
Default: |
session_timeout 8h; |
Context: |
oidc_provider |
Sets a timeout after which the session is deleted, unless it was refreshed.
Syntax: |
ssl_crl |
---|---|
Default: | — |
Context: |
oidc_provider |
Specifies a file
with revoked certificates (CRL)
in the PEM format used to verify
the certificates of the OpenID Provider endpoints.
Syntax: |
ssl_trusted_certificate |
---|---|
Default: |
ssl_trusted_certificate system CA bundle; |
Context: |
oidc_provider |
Specifies a file
with trusted CA certificates in the PEM format
used to verify
the certificates of the OpenID Provider endpoints.
Embedded Variables
The ngx_http_oidc_module
module supports embedded variables:
$oidc_id_token
- ID token
$oidc_access_token
- access token
$oidc_claim_
name
-
top-level ID token claim
Nested claims can be fetched with the auth_jwt module:
http { auth_jwt_claim_set $postal_code address postal_code; server { location / { auth_oidc my_idp; auth_jwt off token=$oidc_id_token; proxy_set_header x-postal_code $postal_code; proxy_pass http://backend; } } }