nginx-openid-connect / nginx-oidc-core Goto Github PK

Background:

• NGINX auth_request directive could handle 200 response from NJS module in the past. (I haven't checked the N+ version.) However, It returns only 401 although NJS returns 200.
• To successfully manage OIDC session for the Private/Public/Partner API of NGINX ACM & Developer Portal, this needs to be either fixed or implemented by other ways.

AC:

• Investigate the root cause why NGINX auth_request directive return 401 from the 200 response of NJS.
• Try session management without using auth_request.
• OIDC Ref. Implementation: Either fix N+ auth_request with NJS or enhance new way of session management.
• Implement the logic in the ACM & Developer Portal if necessary.

AC:

• Remove auth_jwt directives as IdP userinfo endpoint handles access_token validation.

Background

• NGINX ACM is going to provide Zone Sync Policy.
• NGINX INC OSS has a PR to resolve ZoneSync delays.
• Hence, we need to enhance these both features into this NGINX OIDC Core and test it to make sure that the features work for each IdP.

AC

• Refactor NGINX Plus OIDC Core by referencing this PR to resolve ZoneSync delays.
• Support containers' environment for simulating ZoneSync delay.
• Sync with the Zone Sync Policy of NGINX ACM.
• Test with multi clusters and 7 IdPs.

Misc.

• Additional custom option: $enable_zone_sync
• Key Value Zones:

keyval_zone zone=oidc_id_tokens:1M state=/etc/nginx/aux/oidc_id_tokens.json timeout=1h sync;
keyval_zone zone=oidc_access_tokens:1M state=/etc/nginx/aux/oidc_access_tokens.json timeout=1h sync;
keyval_zone zone=oidc_refresh_tokens:1M state=/etc/nginx/aux/oidc_refresh_tokens.json timeout=8h sync;
keyval_zone zone=oidc_pkce:128K timeout=90s sync;
keyval_zone zone=oidc_nonce_hash:128K timeout=90s sync;
keyval_zone zone=oidc_token_query_params:128K timeout=90s sync;

AC:

• Validate access token by using auth_jwt directives before sending it to proxy server
• Test w/ the following identity providers (IdPs):
  • Amazon Cognito
  • Auth0
  • Azure AD
  • Keycloak
  • Okta
  • OneLogin
  • Ping Identity

Issues:

• The following IdPs are working with Dev Portal and NGINX Plus for the /userinfo endpoint.

  • Amazon Cognito
  • Auth0
  • Azure AD
  • Keycloak
  • Okta
  • OneLogin

• But, the /userinfo endpoint isn't working with Ping Identity.

Root Cause:

• Server Name Indication (SNI) is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS.
• It allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.
• It's included in the TLS/SSL handshake process in order to ensure that client devices are able to see the correct SSL certificate for the website they are trying to reach.
• It adds the hostname of the server (website) in the TLS handshake as an extension in the message.
• PingIdentity checks the hostname so that proxy_ssl_server_name on must be added before proxy_pass $oidc_userinfo_endpoint.

AC:

• Enable proxy_ssl_server_name.

    location = /userinfo {
                            :
        proxy_ssl_server_name on; # For SNI to the IdP
        proxy_set_header Authorization "Bearer $access_token";
        proxy_pass       $oidc_userinfo_endpoint;
                            :
    }

• Comparability Test w/ 7 IDPs to make sure that it supports all IDPs as the following check list.

  IDP	NGINX Plus	ACM/Dev Portal
  Amazon Cognito
  Auth0
  Azure AD
  Keycloak
  Okta
  OneLogin
  Ping Identity

• Reporter: Rajesh Bavanantham

• Issue

  • It look like if we give sign-out uri in our config it gets duplicated while the oidc implementation is creating the log-out url.
  • https://dev-745930.oktapreview.com/oauth2/aus10bz495vMInDqO0h8/v1/logout?post_logout_redirect_uri=http://developers.nginx.comhttp://developers.nginx.com/&id_token_hint=

• AC:

  • Investigate the NGINX ACM
  • Test NGINX RP Core
  • Fix NGINX ACM & NIGNX RP Core if necessary based on the investigation. Update guideline otherwise.

Background:

• Currently, NGINX Plus OIDC Reference Implementation doesn't use aud claim in the request of IdP authorization endpoint. - Auth0 returns empty payload in the access token from the token endpoint.
• NGINX Developer Portal needs the access token that contains custom claims to handle partner APIs.

AC:

• Investigate and document how to add custom claims that contains groups and sub-groups.
• Reference implementation to handle aud claims in the request of IdP authorization endpoint.
• Guideline: OIDC Policy for the customizable parameters for the IdP authorization endpoint.
• ACM converter update if necessary based on the change of reference implementation.

NGINX Plus OIDC RP needs to support PKCE for Azure AD.

AC:

• Document: Azure AD Configuration
• Features:
  • NGINX Plus OIDC RP Implementation
  • NGINX ACM

Background:

• Some of IdPs such as Amazon Cognito and Azure AD only supports HTTPS for setting up redirected URIs.
• To integrate those IdPs using NGINX ACM, we need to configure TLS Inbound Policy and OIDC Policy in the proxy cluster of Dev Portal.
• The NGINX ACM UI would be more easier to configure the TWO policies than directly calling API after manually editing each fields.
• Hence, the sample of API request would be convenience for anyone who wants to use Postman.

AC:

• Sample Certificates
• Docs: https://github.com/nginx-openid-connect/nginx-oidc-amazon-cognito/blob/main/docs/04-NGINX-DevPortal-Test.md
• Postman Collection for the following IdPs which doesn't support HTTP for custom domain.
  • Amazon Cognito
  • Azure AD
  • OneLogin
• Verify NGINX ACM and Developer Portal

Background:

• 401 error message shows when session validation and token validation are in a location block.
• So users should be aware of that it is the error for either session or token.

AC:

• Common error message.
• Test w/ 7 IdPs * 2 Flows (Auth Code, PKCE) when $session_validation_enable is set to 1.

Issue:

1. Most of IdPs' $oidc_jwt_keyfile endpoint works for access token validation. But Azure AD doesn't work as the following message:

   [info] 87#87: *500 JWT RS validation failed kid:"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI" (SSL: error:04091068:rsa routines:int_rsa_verify:bad signature), client: 172.18.0.1, server: nginx.azure.test, request: "GET /v1/api/example HTTP/1.1", host: "nginx.azure.test:15000"
   

   • Because, if nonce includes in access token, validating signature with JWT.io or JWT SecurityToken won't success.

2. To solve the #1, we can add "[CLIENT_ID]/.default" in authorization endpoint of Azure AD.

3. However, the access token doesn't work for userinfo endpoint as a Bearer in the header of API request although the validation works.

   {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError": 
   {"date":"2022-10-15T07:13:25","request-id":"xxxx-xxx-xxx-xxx-xxxx","client-request-id":"xxxx-xxx-xxx-xxx-xxxx"}}}
   

4. To successfully get 200 response from the /userinfo endpoint, we either can remove the scope in the authorization endpoint or find to solve invalid audience.

References:

• AzureAD/microsoft-authentication-library-for-js#521 (comment)
• https://stackoverflow.com/questions/45317152/invalid-signature-while-validating-azure-ad-access-token-but-id-token-works
• https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo
• AzureAD/microsoft-authentication-library-for-js#815
• https://authguidance.com/azure-active-directory-setup/
• https://authguidance.com/azure-ad-troubleshooting/