NGINIX/OIDC Reverse-proxy Configuration

Requirements

  • NGINIX Plus (NGINX Plus)

  • SurePassID Identity Provider

Install

Follow the nginx-openid-connect installation instructions.
NGINX (nginx-openid-connect) - Installation

Install the jq command-line JSON processor. There is a dependency for this but it is not automatically installed.

  • sudo yum install jq

SELinux Issue Workaround

There is an issue with NGINIX’s permissions for the directory “/etc/nginx/conf.d". The simplest workaround for this is to change the owner and group of that directory to "nginix".

  • sudo chown ngnix:ngnix /etc/nginx/conf.d

A better solution would be to fix SELinux httpd_t context to allow the nginix process to create files in that directory.
Using NGINX and NGINX Plus with SELinux

Configuring the SurePassID Identity Provider

NGINX (nginx-openid-connect) - Configuring your IdP

NGINX OpenID Connect Client Configuration

Use the following SurePassID Identity Provider OpenID Connect client configuration for the NGNIX replying party.

Update the following properties as required.

  • ClientId

  • ClientName

  • ClientSecrets.Value

  • RedirectUris

  • PostLogoutRedirectUris

  • Properties.*

See Client Object Reference for more details.

{ "Enabled": true, "ProtocolType": "oidc", "ClientId": "nginx-client-id", "ClientName": "NGINX Client Name", "ClientSecrets": [ { "Value": "bmdpbngtY2xpbmV0LXNlY3JldA==", "Type": "SharedSecret" } ], "AllowedGrantTypes": [ "authorization_code" ], "RedirectUris": [ "https://app-proxy.example.com/_codexch" ], "PostLogoutRedirectUris": [ "https://app-proxy.example.com/_logout" ], "RequireClientSecret": true, "RequireConsent": true, "AllowRememberConsent": true, "RequirePkce": false, "AllowPlainTextPkce": false, "AllowAccessTokensViaBrowser": false, "FrontChannelLogoutSessionRequired": true, "BackChannelLogoutSessionRequired": true, "AllowOfflineAccess": false, "AllowedScopes": [ "profile", "openid" ], "AlwaysIncludeUserClaimsInIdToken": true, "IdentityTokenLifetime": 300, "AccessTokenLifetime": 3600, "AuthorizationCodeLifetime": 300, "AbsoluteRefreshTokenLifetime": 2592000, "SlidingRefreshTokenLifetime": 1296000, "RefreshTokenUsage": 1, "UpdateAccessTokenClaimsOnRefresh": false, "RefreshTokenExpiration": 1, "AccessTokenType": 0, "EnableLocalLogin": true, "IdentityProviderRestrictions": [], "IncludeJwtId": false, "Claims": [], "AlwaysSendClientClaims": false, "ClientClaimsPrefix": "client_", "DeviceCodeLifetime": 300, "AllowedCorsOrigins": [], "Properties": { "MfaButtons.ALL": "PushApp,IvrQuestion,SmsQuestion,SmsOtp,EmailOtp,CallWithOtp", "MfaButtonsDefault": "SmsOtp,EmailOtp,CallWithOtp", "AllowOtpDefault": "true", "TenantDomain.0": "tenant0.com", "TenantId.0": "<TENANT_0_API_ID>", "TenantKey.0": "<TENANT_0_API_KEY>", "TenantAllowOtp.0": "true", "TenantMfaButtons.0": "PushApp,IvrQuestion,SmsQuestion", "TenantDomain.1": "tenant1.com", "TenantId.1": "<TENANT_1_API_ID>", "TenantKey.1": "<TENANT_1_API_KEY>", "TenantAllowOtp.1": "true", "TenantMfaButtons.1": "PushApp,IvrQuestion,SmsQuestion,SmsOtp,EmailOtp,CallWithOtp" } }

Configuring NGINIX Plus

NGINX (nginx-openid-connect) - Configuring NGINX Plus

Run the configure.sh script using the SurePassID OpenID Connect Discovery URL.

  • ./configure.sh https://oidc.surepassid.com/.well-known/openid-configuration

Make the following changes to the openid_connect_configuration.conf file.

  • Added the following end session endpoint mapping.

    map $host $oidc_endsession_endpoint { default https://oidc.surepassid.com/connect/endsession; }
  • Add the following to the file so that the JWKS URL can be used to automatically keep the keys up-to-date.

    map $host $oidc_jwks_uri { default https://oidc.surepassid.com/.well-known/openid-configuration/jwks; }
  • Set the Client ID and Client Secret in the mappings as shown.

  • Modify the $oidc_logout_redirect to use the URI "/oidc_logout". This will be configured in the next section

This is a complete example of the updated openid_connect_configuration.conf file.

Make the following changes to the frontend.conf file. This is where the backend application server is configured.

  • Configure the upstream (backend) servers.
    upstream directive

  • If applicable, configure SSL.
    Module ngx_http_ssl_module

  • Add the /oidc_logout location. Place this in the server block before the / location.

  • Configure the reverse proxy to the backend application server.

  •  

This is a complete example of the updated frontend.conf file.