/
NGINIX/OIDC Reverse-proxy Configuration

NGINIX/OIDC Reverse-proxy Configuration

Requirements

  • NGINIX Plus (NGINX Plus)

  • SurePassID Identity Provider

Install

Follow the nginx-openid-connect installation instructions.
NGINX (nginx-openid-connect) - Installation

Install the jq command-line JSON processor. There is a dependency for this but it is not automatically installed.

  • sudo yum install jq

SELinux Issue Workaround

There is an issue with NGINIX’s permissions for the directory “/etc/nginx/conf.d". The simplest workaround for this is to change the owner and group of that directory to "nginix".

  • sudo chown ngnix:ngnix /etc/nginx/conf.d

A better solution would be to fix SELinux httpd_t context to allow the nginix process to create files in that directory.
Using NGINX and NGINX Plus with SELinux

Configuring the SurePassID Identity Provider

NGINX (nginx-openid-connect) - Configuring your IdP

NGINX OpenID Connect Client Configuration

Use the following SurePassID Identity Provider OpenID Connect client configuration for the NGNIX replying party.

Update the following properties as required.

  • ClientId

  • ClientName

  • ClientSecrets.Value

  • RedirectUris

  • PostLogoutRedirectUris

  • Properties.*

See Client Object Reference for more details.

{ "Enabled": true, "ProtocolType": "oidc", "ClientId": "nginx-client-id", "ClientName": "NGINX Client Name", "ClientSecrets": [ { "Value": "bmdpbngtY2xpbmV0LXNlY3JldA==", "Type": "SharedSecret" } ], "AllowedGrantTypes": [ "authorization_code" ], "RedirectUris": [ "https://app-proxy.example.com/_codexch" ], "PostLogoutRedirectUris": [ "https://app-proxy.example.com/_logout" ], "RequireClientSecret": true, "RequireConsent": true, "AllowRememberConsent": true, "RequirePkce": false, "AllowPlainTextPkce": false, "AllowAccessTokensViaBrowser": false, "FrontChannelLogoutSessionRequired": true, "BackChannelLogoutSessionRequired": true, "AllowOfflineAccess": false, "AllowedScopes": [ "profile", "openid" ], "AlwaysIncludeUserClaimsInIdToken": true, "IdentityTokenLifetime": 300, "AccessTokenLifetime": 3600, "AuthorizationCodeLifetime": 300, "AbsoluteRefreshTokenLifetime": 2592000, "SlidingRefreshTokenLifetime": 1296000, "RefreshTokenUsage": 1, "UpdateAccessTokenClaimsOnRefresh": false, "RefreshTokenExpiration": 1, "AccessTokenType": 0, "EnableLocalLogin": true, "IdentityProviderRestrictions": [], "IncludeJwtId": false, "Claims": [], "AlwaysSendClientClaims": false, "ClientClaimsPrefix": "client_", "DeviceCodeLifetime": 300, "AllowedCorsOrigins": [], "Properties": { "MfaButtons.ALL": "PushApp,IvrQuestion,SmsQuestion,SmsOtp,EmailOtp,CallWithOtp", "MfaButtonsDefault": "SmsOtp,EmailOtp,CallWithOtp", "AllowOtpDefault": "true", "TenantDomain.0": "tenant0.com", "TenantId.0": "<TENANT_0_API_ID>", "TenantKey.0": "<TENANT_0_API_KEY>", "TenantAllowOtp.0": "true", "TenantMfaButtons.0": "PushApp,IvrQuestion,SmsQuestion", "TenantDomain.1": "tenant1.com", "TenantId.1": "<TENANT_1_API_ID>", "TenantKey.1": "<TENANT_1_API_KEY>", "TenantAllowOtp.1": "true", "TenantMfaButtons.1": "PushApp,IvrQuestion,SmsQuestion,SmsOtp,EmailOtp,CallWithOtp" } }

Configuring NGINIX Plus

NGINX (nginx-openid-connect) - Configuring NGINX Plus

Run the configure.sh script using the SurePassID OpenID Connect Discovery URL.

  • ./configure.sh https://oidc.surepassid.com/.well-known/openid-configuration

Make the following changes to the openid_connect_configuration.conf file.

  • Added the following end session endpoint mapping.

    map $host $oidc_endsession_endpoint { default https://oidc.surepassid.com/connect/endsession; }
  • Add the following to the file so that the JWKS URL can be used to automatically keep the keys up-to-date.

    map $host $oidc_jwks_uri { default https://oidc.surepassid.com/.well-known/openid-configuration/jwks; }
  • Set the Client ID and Client Secret in the mappings as shown.

  • Modify the $oidc_logout_redirect to use the URI "/oidc_logout". This will be configured in the next section

This is a complete example of the updated openid_connect_configuration.conf file.

Make the following changes to the frontend.conf file. This is where the backend application server is configured.

  • Configure the upstream (backend) servers.
    upstream directive

  • If applicable, configure SSL.
    Module ngx_http_ssl_module

  • Add the /oidc_logout location. Place this in the server block before the / location.

  • Configure the reverse proxy to the backend application server.

  •  

This is a complete example of the updated frontend.conf file.

Related content

SurePassID Identity Provider OIDC Server
SurePassID Identity Provider OIDC Server
Read with this
List All Configuration Data
List All Configuration Data
More like this
List Client Configuration Data
List Client Configuration Data
More like this
Configuration Data Editor
Configuration Data Editor
More like this
List Identity Resource Configuration Data
List Identity Resource Configuration Data
More like this
SurePassID Identity Provider Server Configuration
SurePassID Identity Provider Server Configuration
More like this