Comments (3)
This is not currently possible. NGINX expects that it can proxy directly to the proxy_pass target. If the IdP is external then we recommend a hole in the firewall for this very specific interaction.
from nginx-openid-connect.
You could use socat to do this but that is outside the scope of this repo I would say. I have an ansible role where I'm working on using that with kubernetes. You'll need to change the 3 locations to point to the socat name (you could install it on the same box and point to itself with the right port).
The Readme points to the three locations. You need to also add the proxy_set_header Host login.microsoftonline.com; (or whatever it is you're using for those locations).
Edit openid_connect.server_conf and for each of the /_jwks_uri, /_token, and /_refresh locations, add the following configuration snippet:
proxy_set_header Host ;
proxy_ssl_name ;
Again this is just to point you in the right direction, if you're not familiar with any of that it could be quite a bit of work. NGINX basically will call the socat tunnel passing the host header of the right external DNS name. Then the socat will tunnel that to your forward proxy.
from nginx-openid-connect.
@magicalyak Thanks for the suggestion. I'm running kubernetes so I created sidecar that could proxy the requests to the OIDC server, and changed the configuration to point to my sidecar.
from nginx-openid-connect.
Related Issues (20)
- How to change redirect_base variable on Nginx side without affecting authorization flow? HOT 4
- Setting a state variable HOT 6
- Return 401 instead of redirecting to authorize endpoint HOT 2
- Add certificate‑bound access tokens support to this OIDC Reference Implementation
- Questions about [NginxPlus + nginx-openid-connect] proxy use on the intranet HOT 3
- Capture access token from IdP HOT 2
- access token and new endpoints (/login, /userinfo, /v2/logout)
- Configuration script: user info and end session endpoint HOT 1
- Docs: access token and new endpoints (/login, /userinfo, /v2/logout)
- Error in configure script when supplying secret HOT 1
- Allow extra args to be provided to the OIDC auth endpoint
- Add access token support
- Add OIDC end session endpoint and custom query params
- Add OIDC landing page for NGINX to redirect after successful OIDC login
- Add OIDC userinfo endpoint for User-Agent to obtain claims about End-User
- Enhance custom query params for OIDC authZ endpoint
- update documentation - Azure AD IdP HOT 2
- Loop 302 after expire access token HOT 5
- Issue with special character handling in redirect URI after authentication
- client_secret_basic Client Authentication not supported
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-openid-connect.