Add OIDC userinfo endpoint

remove /userinfo location
nginxinc · Jan 9, 2023 · 5441a04 · 5441a04
1 parent 74948ce
commit 5441a04
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -102,6 +102,7 @@ When NGINX Plus is deployed behind another proxy, the original protocol and port
     * Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance
     * Obtain the URL for the **authorization endpoint**
     * Obtain the URL for the **token endpoint**
+    * Obtain the URL for the **userinfo endpoint**
 
 ## Configuring NGINX Plus
 

diff --git a/configure.sh b/configure.sh
@@ -120,7 +120,7 @@ fi
 # Build an intermediate configuration file
 # File format is: <NGINX variable name><space><IdP value>
 #
-jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
+jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_userinfo_endpoint \(.userinfo_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
 
 # Create a random value for HMAC key, adding to the intermediate configuration file
 echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf
@@ -178,7 +178,7 @@ fi
 
 # Loop through each configuration variable
 echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf"
-for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
+for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_userinfo_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
 	# Pull the configuration value from the intermediate file
 	VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '`
 	echo -n "$COMMAND: NOTICE:  - $OIDC_VAR ..."

diff --git a/frontend.conf b/frontend.conf
@@ -40,6 +40,17 @@ server {
 
         access_log /var/log/nginx/access.log main_jwt;
     }
+
+    location = /foobar {
+        # This location is an example for User Agent to obtain requested claims
+        # about the End-User if necessary:
+        # - https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+        error_page 401 = @do_oidc_flow;
+        proxy_intercept_errors on;
+        proxy_ssl_server_name on;
+        proxy_set_header Authorization "Bearer $access_token";
+        proxy_pass $oidc_userinfo_endpoint;
+    }
 }
 
 # vim: syntax=nginx
diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -28,6 +28,10 @@ map $host $oidc_jwt_keyfile {
     default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs";
 }
 
+map $host $oidc_userinfo_endpoint {
+    default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo";
+}
+
 map $host $oidc_client {
     default "my-client-id";
 }