NGINX-Plus

配置Authok

获取应用密钥

你需要如下信息

Domain
Client ID
Client Secret

配置回调URL

配置 Logout URL

安装并开启 nginx-plus-module-njs 模块

sudo yum install nginx-plus-module-njs jq

在/etc/nginx/nginx.conf文件中添加如下行:

load_module modules/ngx_http_js_module.so;

检查 nginx-openid-connect 模版仓库

克隆nginx-openid-connect仓库:

git clone https://github.com/nginxinc/nginx-openid-connect

配置 AuthOK 应用

在nginx-openid-connect目录中运行configure.sh脚本:

./configure.sh --auth_jwt_key request \
  --client_id YOUR_CLIENT_ID \
  --pkce_enable \
  https://YOUR_DOMAIN/.well-known/openid-configuration

在openid_connect_configuration.conf文件中添加注销:

openid_connect_configuration.conf
map $host $oidc_logout_redirect {
    default "https://YOUR_DOMAIN/v1/logout";
}

针对 Token 和 JWKS 端点设置 Accept-Encoding Types

openid_connect.server_conf
location = /_jwks_uri {
    internal;
    ...
    proxy_set_header    Content-Length "";           
    proxy_set_header    Accept-Encoding "gzip";          # this is required
    ...
}

location = /_token {
    internal;
    ...
    proxy_set_header    Content-Type "application/x-www-form-urlencoded";
    proxy_set_header    Accept-Encoding "gzip";          # this is required
    ...
}

拷贝 OpenID Connect 配置文件到 NGINX Server

sudo cp openid_connect.js \ 
   frontend.conf \
   openid_connect_configuration.conf \
   openid_connect.server_conf /etc/nginx/conf.d

配置 AuthOK

在 AuthOK管理后台 >> 应用 >> 回调URL 中追加 https://server-fqdn/_codexch. 并设置 Token Endpoint Authentication Method 为"None". 因为这里需要执行 PKCE认证流.

修改/etc/nginx/conf.d/frontend.conf, 追加从id_token中获取的额外header给到 upstream 目标:

frontend.conf
# auth_jwt_claim_set $claim_name https://namespace/key;

server {
    include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
    error_log /var/log/nginx/error.log debug;  # Reduce severity level as required

    listen 8010; # Use SSL/TLS in production
    
    location / {
        # This site is protected with OpenID Connect
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;

        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
        auth_jwt_key_request /_jwks_uri; # Enable when using URL

        # Successfully authenticated users are proxied to the backend,
        # with 'sub' claim passed as HTTP header
        proxy_set_header username $jwt_claim_sub;
        proxy_set_header x-email $jwt_claim_email;
        #proxy_set_header x-custom $claim_name;             # namespaced claim

        proxy_pass http://my_backend; # The backend site/app

        access_log /var/log/nginx/access.log main_jwt;
    }
}

NGINX-Plus

配置Authok​

获取应用密钥​

配置回调URL​

配置 Logout URL​

安装并开启 nginx-plus-module-njs 模块​

检查 nginx-openid-connect 模版仓库​

配置 AuthOK 应用​

针对 Token 和 JWKS 端点设置 Accept-Encoding Types​

拷贝 OpenID Connect 配置文件到 NGINX Server​

配置 AuthOK​

传递 Header 给到 Upstream 应用​