access token and new endpoints (/login, /userinfo, /v2/logout)

[shawnhankim]

Background:

• Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.

• Token Recommandation

  When Using	Do	Don't
  ID Token	- Assume the user is authenticated	- Call an API
  	- Get user profile data	- Check if the client is allowed to access something.
  Access Token	- Call an API	- Inspect its content on the client
  	- Check if the client is allowed to access something
  	- Inspect its content on the server side

  courtesy: ID Token and Access Token: What's the Difference?
  

• Current NJS implementation doesn’t have /login and /userinfo endpoints for client apps (SPA) to interact with.

• Client Apps require /login function as part of relying party when a user clicks on login button from the landing page.

• Client Apps require /userinfo function as part of relying party when a user wants to verify the session cookie created by NGINX Plus is still valid or to get some user info about users which is needed for the Client Apps.

• The existing /logout function is required to extend the sign-off function on the IdP's end_session_endpoint. Afterwards the NGINX Plus' logout redirection URI (which is redirected by IdP after successful logout from IdP) can clear session cookies and redirect to the either original landing page or a custom logout page.

Acceptance Criteria:

• Enhance the NJS Code to capture the access_token sent by the IdP.

• Store the access_token in the k/v store as same as we store id_token and refresh_token

• Add /userinfo endpoint:

  • Add a map variable of $oidc_userinfo_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
  • Expose /userinfo endpoint here(openid_connect.server_conf) in a location block of NGINX Plus to interact with IdP's userinfo_endpoint which is defined in the endpoint ofwell-known/openid-configuration.
  • The nginx location block should proxy to the IdP’s userinfo_endpoint by adding access_token as a bearer token.

    Authorization : Bearer <access_token>
    

  • The response coming from IdP should be returned back to the caller as it is.

• Expose /login endpoint:

  • Expose the /login endpoint as a location block here (openid_connect.server_conf)
  • Proxy it to the IdP's authorization_endpoint configured in the map variable of $oidc_authz_endpoint in (openid_connect_configuration.conf).
  • This would outsource the login function to IdP as its configured.

• Expose /v2/logout endpoint:

  • Expose the /v2/logout endpoint as a location block here (openid_connect.server_conf)
  • Add a map variable of $oidc_end_session_endpoint as same as authz and token endpoints here (openid_connect_configuration.conf) .
  • Proxy it to the IdP's end_session_endpoint to finish the session by IdP.

• Expose /v2/_logout endpoint:

  • Expose /v2/_logout endpoint which is a callback from IdP as a location block here (openid_connect.server_conf) to handle the following sequences.
    • 1. Redirected by IdP when IdP successfully finished the session.
    • 2. NGINX Plus: Clear session cookies.
    • 3. NGINX Plus: Redirect to either the original landing page or the custom logout page by calling
  • Add a map of $post_logout_return_uri: After the successful logout from the IdP, NGINX Plus calls this URI to redirect to either the original page or a custom logout page. The default is original page based on the configuration of $redirect_base.

Compatibility:

• This issue will not block the existing features as there would be no change of variables, and this is just to add features.

Exceptions:

• The docs will be enhanced with a separate PR.
• The demo as a quick start guide will be provided with a separate PR.