NGINX-Plus
配置Authok
获取应用密钥
你需要如下信息
- Domain
- Client ID
- Client Secret
配置回调URL
配置 Logout URL
安装并开启 nginx-plus-module-njs 模块
sudo yum install nginx-plus-module-njs jq
在/etc/nginx/nginx.conf
文件中添加如下行:
load_module modules/ngx_http_js_module.so;
检查 nginx-openid-connect 模版仓库
克隆nginx-openid-connect
仓库:
git clone https://github.com/nginxinc/nginx-openid-connect
配置 AuthOK 应用
在nginx-openid-connect
目录中运行configure.sh
脚本:
./configure.sh --auth_jwt_key request \
--client_id YOUR_CLIENT_ID \
--pkce_enable \
https://YOUR_DOMAIN/.well-known/openid-configuration
在openid_connect_configuration.conf
文件中添加注销:
openid_connect_configuration.conf
map $host $oidc_logout_redirect {
default "https://YOUR_DOMAIN/v1/logout";
}
针对 Token 和 JWKS 端点设置 Accept-Encoding Types
openid_connect.server_conf
location = /_jwks_uri {
internal;
...
proxy_set_header Content-Length "";
proxy_set_header Accept-Encoding "gzip"; # this is required
...
}
location = /_token {
internal;
...
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding "gzip"; # this is required
...
}
拷贝 OpenID Connect 配置文件到 NGINX Server
sudo cp openid_connect.js \
frontend.conf \
openid_connect_configuration.conf \
openid_connect.server_conf /etc/nginx/conf.d
配置 AuthOK
在 AuthOK管理后台 >> 应用 >> 回调URL 中追加 https://server-fqdn/_codexch
.
并设置 Token Endpoint Authentication Method 为"None". 因为这里需要执行 PKCE认证流.
传递 Header 给到 Upstream 应用
修改/etc/nginx/conf.d/frontend.conf
, 追加从id_token
中获取的额外header给到 upstream 目标:
frontend.conf
# auth_jwt_claim_set $claim_name https://namespace/key;
server {
include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
error_log /var/log/nginx/error.log debug; # Reduce severity level as required
listen 8010; # Use SSL/TLS in production
location / {
# This site is protected with OpenID Connect
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
#auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
auth_jwt_key_request /_jwks_uri; # Enable when using URL
# Successfully authenticated users are proxied to the backend,
# with 'sub' claim passed as HTTP header
proxy_set_header username $jwt_claim_sub;
proxy_set_header x-email $jwt_claim_email;
#proxy_set_header x-custom $claim_name; # namespaced claim
proxy_pass http://my_backend; # The backend site/app
access_log /var/log/nginx/access.log main_jwt;
}
}