Add OIDC userinfo endpoint

shawnhankim · shawnhankim · commit c9690c39f8ca · 2023-01-09T14:14:59.000-08:00
remove /userinfo location

Add userinfo endpoint in README.md
diff --git a/README.md b/README.md
@@ -40,6 +40,10 @@ For more information on OpenID Connect and JWT validation with NGINX Plus, see [
 
 If a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens) was received from the IdP then it is also stored in the key-value store. When validation of the ID Token fails (typically upon expiry) then NGINX Plus sends the refresh token to the IdP. If the user's session is still valid at the IdP then a new ID token is received, validated, and updated in the key-value store. The refresh process is seamless to the client.
 
+### Userinfo Endpoint
+
+The [Userinfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) is an OAuth 2.0 protected resource that returns claims about the authenticated End-User. For User Agent To obtain the requested claims about the End-User, NGINX Plus makes a request to the `$oidc_userinfo_endpoint` using an access token as the example of `/foobar` location in the config file of `frontend.conf`. These claims are normally represented by a JSON object that contains a collection of name and value pairs for the claims.
+
 ### Logout
 
 Requests made to the `/logout` location invalidate both the ID token, access token and refresh token by erasing them from the key-value store. Therefore, subsequent requests to protected resources will be treated as a first-time request and send the client to the IdP for authentication. Note that the IdP may issue cookies such that an authenticated session still exists at the IdP.
@@ -102,6 +106,7 @@ When NGINX Plus is deployed behind another proxy, the original protocol and port
     * Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance
     * Obtain the URL for the **authorization endpoint**
     * Obtain the URL for the **token endpoint**
+    * Obtain the URL for the **userinfo endpoint**
 
 ## Configuring NGINX Plus
 
diff --git a/configure.sh b/configure.sh
@@ -120,7 +120,7 @@ fi
 # Build an intermediate configuration file
 # File format is: <NGINX variable name><space><IdP value>
 #
-jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
+jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_userinfo_endpoint \(.userinfo_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
 
 # Create a random value for HMAC key, adding to the intermediate configuration file
 echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf
@@ -178,7 +178,7 @@ fi
 
 # Loop through each configuration variable
 echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf"
-for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
+for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_userinfo_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
 	# Pull the configuration value from the intermediate file
 	VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '`
 	echo -n "$COMMAND: NOTICE:  - $OIDC_VAR ..."
diff --git a/frontend.conf b/frontend.conf
@@ -40,6 +40,17 @@ server {
 
         access_log /var/log/nginx/access.log main_jwt;
     }
+
+    location = /foobar {
+        # This location is an example for User Agent to obtain requested claims
+        # about the End-User if necessary:
+        # - https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+        error_page 401 = @do_oidc_flow;
+        proxy_intercept_errors on;
+        proxy_ssl_server_name on;
+        proxy_set_header Authorization "Bearer $access_token";
+        proxy_pass $oidc_userinfo_endpoint;
+    }
 }
 
 # vim: syntax=nginx
diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -28,6 +28,10 @@ map $host $oidc_jwt_keyfile {
     default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs";
 }
 
+map $host $oidc_userinfo_endpoint {
+    default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo";
+}
+
 map $host $oidc_client {
     default "my-client-id";
 }

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,10 @@ map $host $oidc_jwt_keyfile {`
`28`	`28`	`default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs";`
`29`	`29`	`}`
`30`	`30`
	`31`	`+map $host $oidc_userinfo_endpoint {`
	`32`	`+ default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo";`
	`33`	`+}`
	`34`	`+`
`31`	`35`	`map $host $oidc_client {`
`32`	`36`	`default "my-client-id";`
`33`	`37`	`}`