{"id":13547391,"url":"https://github.com/tarachandverma/nginx-openidc","last_synced_at":"2025-04-02T19:33:03.738Z","repository":{"id":85321629,"uuid":"51006770","full_name":"tarachandverma/nginx-openidc","owner":"tarachandverma","description":"Nginx module for openid-connect relying party, SSO and JWT authentication","archived":false,"fork":false,"pushed_at":"2022-01-07T12:45:56.000Z","size":2566,"stargazers_count":77,"open_issues_count":6,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-18T00:51:27.375Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tarachandverma.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-02-03T14:55:26.000Z","updated_at":"2024-11-23T08:12:02.000Z","dependencies_parsed_at":"2023-11-24T06:15:17.067Z","dependency_job_id":null,"html_url":"https://github.com/tarachandverma/nginx-openidc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarachandverma%2Fnginx-openidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarachandverma%2Fnginx-openidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarachandverma%2Fnginx-openidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarachandverma%2Fnginx-openidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tarachandverma","download_url":"https://codeload.github.com/tarachandverma/nginx-openidc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246880357,"owners_count":20848847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:54.939Z","updated_at":"2025-04-02T19:33:03.727Z","avatar_url":"https://github.com/tarachandverma.png","language":"C","funding_links":[],"categories":["C","others"],"sub_categories":[],"readme":"# nginx-openidc\nNginx module for openid connect relying party and JWT authentication\n====================================================================\n\n**nginx-openidc is Nginx module allows openid-connect(JWT) validation and access control based on standard claim as headers. \n\nThis document details the technical architecture and reasoning behind the\nnginx-openidc system.\n\nThe request flow - Relying Party ( RP )\n---------------------------------------\n1. The user makes a request for a protected resource on RP `ngx-oidc-demo.com` for resource http://ngx-oidc-demo.com/protected.\n2. In \"Access\" phase of nginx, **nginx-openidc** performs a check RP session exists containing the logged-in userinfo.\n3. **nginx-openidc** decrypts cookie, verifies payload.\n4. On success, The **nginx-openidc** sets request headers X-OIDC-* i.e. X-OIDC-SUBJECT, X-OIDC-ISSUER and many more depending on scopes requested from JWT claim.\n5. In post \"Access\" phase, **nginx-openidc** oidc-config.xml rules are executed.\n\tThis is most important phase where you can define unlimited authorization rules based on X-OIDC-* header\n6. Upon successfully running rules in post authorization phase, nginx forwards them to the\n   backend **service** application.\n7. The **service** application can use the X-OIDC-* headers as-is.\n\nThe request flow - API Gateway\n------------------------------------\n1. ClientApp gets a JWT from authorized OP or generates a JWT using \"client-credentials\" flow\n2. The clientApp makes a request for a protected API on `ngx-oidc-demo.com` for resource with access_token as \"Authorization: Bearer \u003cid_token\u003e\" header. \nExamples\n\thttp://ngx-oidc-demo.com/api/user.email\n\tAuthorization: Bearer \u003cid_token received from step(1)\u003e\n3. In \"Access\" phase of nginx, **nginx-openidc** performs JWT validation.\n4. On success, The **nginx-openidc** sets request headers X-OIDC-* i.e. X-OIDC-SUBJECT, X-OIDC-ISSUER and many more depending on scopes requested from JWT claim.\n5. In post \"Access\" phase, **nginx-openidc** oidc-config.xml rules are executed.\n6. Upon successfully running rules in post authorization phase, nginx forwards them to the\n   backend **service** application.\n7. The **service** application can use the X-OIDC-* headers as-is.\n   \nHere are the some of the features supported.\n\nFeatures\n------------\n- Supports all OAuth2.0/OpenID-Connect flows\n- Supports HS256 and RS256\n- Supports rotated RS256 public key.\n- Implements Access phase which validates id_token(JWT) and passes claims as custom headers\n- Implements Post Authorization phase custom response based on custom headers.\n- Allows multiple relying party based on callback url\n- Allows multiple OpenID-Connect Provider\n- Supports \"nonce\" generation and validation\n- Supports relying party session\n- Removes custom headers from incoming request to ensure these headers are not spoofed.\n- Unlimited capabilities from Authorization to rewrites\n- Capabilites to add/remove/update request/response headers\n- Capability to generate custom error response\n- Support fo auto refresh entire oidc-config.xml and retrieve RS256 publicKeys from JWKS url periodically with no server restart\n\nSupported platforms\n--------------------------------------\n- All the flavors of *nix platforms, freebsd.\n\n# Installation\n``````````\ngit clone https://github.com/tarachandverma/nginx-openidc.git\ncd nginx-openidc\nwget 'http://nginx.org/download/nginx-1.14.0.tar.gz'\ntar -xzvf nginx-1.14.0.tar.gz\ncd nginx-1.14.0/\n\n # Here we assume you would install you nginx under /opt/nginx/.\n ./configure --add-module=../src --with-http_ssl_module\n make\n make install\n``````````\n     \n# Test ( using docker )\n#build docker image\n- docker build -t nginx-oidc .\n\n#run docker image\t\n- docker run -p 80:80 -p 443:443 -i -t nginx-oidc\n\n#add /etc/hosts entry\n- NEW-DOCKER-IP ngx-oidc-demo.com\n\n#access docker container via protected path\n- http://ngx-oidc-demo.com/protected\n\t\n# Example : \n````````````````````\nX-OIDC-VALIDATE-STATUS = \tsuccess\nX-OIDC-ISSUER = \thttps://accounts.google.com\nX-OIDC-SUBJECT = \t113146716035256978692\nX-OIDC-AUDIENCE = \t282412598309-545pvmsh9r23f4k1o7267744s59sod6v.apps.googleusercontent.com\nX-OIDC-NONCE = \ta44df6ae-27f2-4c92-85e1-a22eb6381f53\nX-OIDC-EMAIL = \txxxx@gmail.com\n\nX-REQUEST-METHOD = \tGET\nX-REQUEST-SCHEME = \thttp\nX-RP-SESSION = \t7a6db077-ea64-47b4-ae77-2f438f4803ba\n\nNote: headers available on successful JWT validation ( all header is prefixed with HTTP_ when it reaches to backend app )\n````````````````````\n\n# Main Configuration\n````````````````````\nOPENIDC_HomeDir                        /usr/local/nginx/conf;\nOPENIDC_LogFile                        oidc-refresh.log;\nOPENIDC_SharedMemory  file=/config.shm size=61000;\nOPENIDC_RemotePath uri=https://raw.githubusercontent.com/tarachandverma/nginx-openidc/master/example-conf/;\nOPENIDC_PassPhrase                     secret123;\nOPENIDC_HeaderPrefix                   X-OIDC-;\nOPENIDC_RefreshWaitSeconds             20;\nOPENIDC_ConfigFile                     oidc-config.xml;\n\n````````````````````\n\n- **OPENIDC_HomeDir** Home directory to hold openid configuration and logs files.\n\nSpecify description string.\n\n- **OPENIDC_LogFile**\n\nLog file is generated upon startup and refresh and records information whats loaded in shared memory.\n\n- **OPENIDC_SharedMemory**\n\nSpecifies shared memory file name and size\n\n- **OPENIDC_RemotePath**\n\nOptional: Specifies remote directory to download oidc-config.xml during startup.\n\n- **OPENIDC_PassPhrase**\n\nSpecifies passPhrase to encrypt/decrypt relying party session\n\n- **OPENIDC_HeaderPrefix**\n\nSpecifies custom headers prefix for the claims, default:X-OIDC-\n\n- **OPENIDC_RefreshWaitSeconds (mendatory if OP signing keys are rotating )**\n\nThis will refresh entire oidc-config.xml remote repository defined by OPENIDC_RemotePath along with OP publicKeys \ndefined by \u003cjwksUri\u003e in oidc-config.xml\ndefault:no refresh\n\n- **OPENIDC_ConfigFile**\n\nSpecify relying party configuration and custom post Authorization response and rules\n\n\nHow to enable ngx openid-connect : nginx.conf\n---------------------------------------------\n`````````````````````\n\nhttp {\n\n\t...\n\tOPENIDC_HomeDir                        /usr/local/nginx/conf;\n\tOPENIDC_LogFile                        oidc-refresh.log;\n\tOPENIDC_SharedMemory  file=/config.shm size=61000;\n\tOPENIDC_RemotePath uri=https://raw.githubusercontent.com/tarachandverma/nginx-openidc/master/example-conf/;\n\tOPENIDC_PassPhrase                     secret123;\n\tOPENIDC_HeaderPrefix                   X-REMOTE-;\n\t#OPENIDC_RefreshWaitSeconds\t\t\t\t20;\n\tOPENIDC_ConfigFile                     oidc-config.xml;\n\t\n\tserver {\n\t\t\t...\n\t\t\t# authorization code flow - exchanging authorization code to id_token(JWT)\n\t\t    location /internal/oauth2/token {\n\t\t    \tinternal;\n\t\t        proxy_pass https://www.googleapis.com/oauth2/v4/token;\n\t\t    }\n\t}\n...\n}\n\n\n`````````````````````\n\nopenid-connect configuration : oidc-conf.xml\n-------------------------------------------\n\n```XML\n\u003c?xml version=\"1.0\"?\u003e\n\u003coidcConfig\u003e\n   \u003coidcProviders\u003e\n\t\u003c!-- OpenID-Connect Provider metadata url --\u003e\t \n\t \u003coidcProvider id=\"$$unique identifier$$\" issuer=\"$$OP issuer$$\"\u003e\n\t \t\u003cmetadataUrl\u003e$$OP metadata url$$\u003c/metadataUrl\u003e\n\t\t\u003c!--you can set individua params as well if metadata is not available --\u003e\n\t \t\u003cauthorizationEndpoint\u003e$$OP authorization_end_point$$\u003c/authorizationEndpoint\u003e\n\t \t\u003ctokenEndpoint\u003e$$OP token_end_point same as defined in nginx.conf's proxy_pass for token endpoint$$\u003c/tokenEndpoint\u003e\n\t \t\u003cjwksUri\u003e$$OP json web keys end poing$$\u003c/jwksUri\u003e\u003c!-- json web keys url exposed by OP, useful if keys are rotated by OP --\u003e\n\t \t\u003c!-- json web keys in JSON format, useful if keys are not rotated by OP --\u003e\n\t \t\u003cjwksJson\u003e\u003c![CDATA[{\n \"keys\": [\n  $$key1 json$$,\n  $$key2 json$$,\n  $$key3 json$$,\n  ...\n  $$keyn json$$\n ]\n}]]\u003e\u003c/jwksJson\u003e\n\t\u003c!-- example --\u003e\t \t\n\t \t\u003c!--jwksJson\u003e\u003c![CDATA[{\n \"keys\": [\n  {\n   \"kty\": \"RSA\",\n   \"alg\": \"RS256\",\n   \"use\": \"sig\",\n   \"kid\": \"2758a0d689ad62a453a671429a41d192d6bb7291\",\n   \"n\": \"wjiigb39qOCj_WwYKqspYpk7SbuirXARcOo8bLzI95V3OIisz-40eOyo_SaeNeDb4KOcWZ9Qr0YmRnw0G8JhfVB973KwTURsUHQw3Q1fZSBw5T0vCMS5UHbMLxjHptCZ6kVRbBnRVuCMvY3ws0LCK9h9e4l7rCfXMQF3IlBUCisrGpYiVTO1-Mj3J6h_TJ7QDRQnqkX5jzcv-8XCRg_BefA40sC2fXjpZezdf8i27d3tuPRsjD46wFydDZk_KFBqSr8RE2EzJ6yaSNWnKByJejA6tNLK72UIrt0GE83TS1d369kGN2hk57gonlNMo-v5GTFweFNnQGU1xOng30bdvQ\",\n   \"e\": \"AQAB\"\n  },\n  {\n   \"kty\": \"RSA\",\n   \"alg\": \"RS256\",\n   \"use\": \"sig\",\n   \"kid\": \"8a60d44a4ece38c0c9d16be136b2a1427b1d6ee0\",\n   \"n\": \"l9Cn5qmr7VFKIed9RQIZPdenYp-V1BDM1wMg7Rpkl8mNQ7qsnJWuK8JKQoIljbwr9L1kKikKOR37z1prV0ZTQQao73YsB34OLbi25g0Xcr32j5giQDMxmFxmrYN1LG-T4qEOI4hE52Bafr5jBuZwL56HeuEU5G-QunGrNieGcfdVFXVW8-f9UBkJmoF_Dw_H38wNKif79tGKD2XXdG-VjT-Pg2nbpzQ6fIXunzaaW9aUyoNZWpQQ9_QBqgEApHAP5qWGQsUQLwzkiUr1Du51ERLC7nm3B-pLFqIlRmqiWVtUAdF0wkKaCQXyvFS2KabG9D4aX0T_MKESsV7T6wwvsQ\",\n   \"e\": \"AQAB\"\n  },\n  {\n   \"kty\": \"RSA\",\n   \"alg\": \"RS256\",\n   \"use\": \"sig\",\n   \"kid\": \"eb29843dd7334cf989e1db6a2b0c6e07a10a9cd3\",\n   \"n\": \"jTBFxlzE8GwPWvSRsiUIiZGp8QxhZNv9QMhoEIHaoyaTlHBGS3cmsqhEroFjW5dwiVee_WJFBd7IcoaBZgVmHgLVMCr7dDokcO2LWIgbPikS1gfCuD2twZyoGdVWRpLy1KGSFlINcn1bbvPpod6Bt3sEEIv-rSSR5sgRFJbPpKwIZDrZnZMRPVM6a29WJ129uo04hIpig3p7ULpFTJrAkkQAtfEtP_uFJXCF8DrG1HoM6xlVOR2ksqjkpQYAa7p5yPZGEn_oZDxeVSzjuKG5KRt7-UL7hSg3q4jdEeX60j6DAZEcxX8apIpmYG2gmACBWKWnguHRZXdqfofyBcKizQ\",\n   \"e\": \"AQAB\"\n  },\n  {\n   \"kty\": \"RSA\",\n   \"alg\": \"RS256\",\n   \"use\": \"sig\",\n   \"kid\": \"0ec3739dba77e22d632f3484b687391a8956f96b\",\n   \"n\": \"jA4LmJfj1zuYFYCEWJD62Di-LbuamWbTqdhSaNWCRovztCIY0UlbnoGluNpzePOHJSuocOgucQNybwpdCVJ9S0rCPccytDw1hAxcFqmHOeqGIdfnpCojF0m9pggleHgWI9biwWt1jbkAqNx7VK1gNUkhWoVp_iQGfE37DnWptdDMmh9wVMc2SY8wqxtkcZebYpRNE52t1HSnXJ6z_HtMYvoRpi35Ltv6tuB16vFgb70k3AiGfrK8llpo8VZBHax5MCAZM612zA24G3tYDPSPGksrnoUFL5Iwyv-Mf9y4y6kFlV5hIpC27VPJxXzc9jD1kMBmQxIArHpAVsea_C8eQQ\",\n   \"e\": \"AQAB\"\n  }\n ]\n}]]\u003e\u003c/jwksJson--\u003e\t \t\n\t \u003c/oidcProvider\u003e\n   \u003c/oidcProviders\u003e\n\n\t\u003c!-- relying parties configuration, you can configure multiple relying parties, default must be configured and usually same as first one in case there is only one --\u003e\n\t \u003crelyingParties\u003e\n\t \t\u003crelyingParty id=\"$$unique identifier1$$\" clientID=\"$$YOUR CLIENT ID for app1$$\" clientSecret=\"$$YOUR CLIENT SECRET for app1$$\" validateNonce=\"true/false depending on if you want to validate JWT nonce\"\u003e\n\t \t\t\u003cdescription\u003enginx oidc demo\u003c/description\u003e\n\t \t\t\u003credirectUri\u003e$$CALLBACK URL WHERE ID_TOKEN OR CODE WILL BE RECIEVED$$\u003c/redirectUri\u003e\n\t \t\t\u003cissuer\u003e$$OIDC ISSUER FROM ABOVE LIST TO SELECT APPROPRIATE TOKEN EXCHANGE END-POINT FOR ID_TOKEN$$\u003c/issuer\u003e\t \t\t\n\t \t\u003c/relyingParty\u003e\n\t \t\u003crelyingParty id=\"$$unique identifier2$$\" clientID=\"$$YOUR CLIENT ID for app2 $$\" clientSecret=\"$$YOUR CLIENT SECRET for app2$$\" validateNonce=\"true/false depending on if you want to validate JWT nonce\"\u003e\n\t \t\t\u003cdescription\u003enginx oidc demo\u003c/description\u003e\n\t \t\t\u003credirectUri\u003e$$CALLBACK URL WHERE ID_TOKEN OR CODE WILL BE RECIEVED$$\u003c/redirectUri\u003e\n\t \t\t\u003cissuer\u003e$$OIDC ISSUER FROM ABOVE LIST TO SELECT APPROPRIATE TOKEN EXCHANGE END-POINT FOR ID_TOKEN$$\u003c/issuer\u003e\t \t\t\n\t \t\u003c/relyingParty\u003e\n\t \t...\n\t \t\u003crelyingParty id=\"$$unique identifierN$$\" clientID=\"$$YOUR CLIENT ID for appn $$\" clientSecret=\"$$YOUR CLIENT SECRET for appn$$\" validateNonce=\"true/false depending on if you want to validate JWT nonce\"\u003e\n\t \t\t\u003cdescription\u003enginx oidc demo\u003c/description\u003e\n\t \t\t\u003credirectUri\u003e$$CALLBACK URL WHERE ID_TOKEN OR CODE WILL BE RECIEVED$$\u003c/redirectUri\u003e\n\t \t\t\u003cissuer\u003e$$OIDC ISSUER FROM ABOVE LIST TO SELECT APPROPRIATE TOKEN EXCHANGE END-POINT FOR ID_TOKEN$$\u003c/issuer\u003e\t \t\t\n\t \t\u003c/relyingParty\u003e\t \t\t \t\n\t \u003c/relyingParties\u003e\n\t \u003c!-- end of relying parties configuration --\u003e\n\t \n \t \u003c!-- specify collection of actions inside the pageActions --\u003e\n     \u003coidcActions\u003e\t\u003c!-- start of page-actions --\u003e\n \n\t\t\u003c!-- nginx authz handlers --\u003e\n\t    \u003caction id=\"oidc_version\"\u003e\u003chandler\u003eoidc_version\u003c/handler\u003e\u003c/action\u003e\n\t    \u003caction id=\"oidc_config_core_status\"\u003e\u003chandler\u003eoidc_config_core_status\u003c/handler\u003e\u003c/action\u003e\n\t    \u003caction id=\"oidc_rewrite_pageactions\"\u003e\u003chandler\u003eoidc_rewrite_pageactions\u003c/handler\u003e\u003c/action\u003e\n\t    \u003caction id=\"oidc_rewrite_actionmappings\"\u003e\u003chandler\u003eoidc_rewrite_actionmappings\u003c/handler\u003e\u003c/action\u003e\n\t    \u003caction id=\"oidc_rewrite_match\"\u003e\u003chandler\u003eoidc_rewrite_match\u003c/handler\u003e\u003c/action\u003e\n\t    \u003caction id=\"oidc_headers\"\u003e\u003chandler\u003eoidc_headers\u003c/handler\u003e\u003c/action\u003e\t    \n\t    \u003caction id=\"oidc_index\"\u003e\u003chandler\u003eoidc_index\u003c/handler\u003e\u003c/action\u003e\n\n        \u003caction id=\"$$unique-action-name1$$\" debug=$$true/false$$ type=\"$$login|callback|action$$\"\u003e\u003c!-- debug echo hostname of front-end box and/or echoes backend proxied box if its proxy request, default action type is authorize --\u003e\n    \t    \u003cdescription\u003edescribe what action does in few words\u003c/description\u003e \u003c!-- string --\u003e\n            \u003cisForward\u003etrue/false\u003c/isForward\u003e \u003c!-- boolean set it to true if its internal redirect, false for 302 redirect, default value true --\u003e\n            \u003cisPermanent\u003etrue/false\u003c/isPermanent\u003e \u003c!-- boolean, set it to true if permanent redirect 301 --\u003e\n            \u003cbase64UrlEncodeState\u003etrue/false\u003c/base64UrlEncodeState\u003e \u003c!-- boolean, set it to true if you want to base64encode current url instead of urlEncode passed in state --\u003e            \n            \u003cregex\u003e$$regex-to-generate-tokens-to-build-below-url$$\u003c/regex\u003e \u003c!-- string --\u003e\n            \u003cadvancedTemplate\u003etrue/false\u003c/advancedTemplate\u003e \u003c!-- string, set to true of below url is dynamically generated using cookie, request headers --\u003e\n            \u003curi\u003e$$target-path1\u003c/uri\u003e \u003c!-- string, specify relative url if internal redirect or full path if external redirect 302 --\u003e\n    \t\t\u003crequestHeaders\u003e \u003c!-- array of header --\u003e\n        \t\t\u003cheader name=\"$$header-name$$\" do=\"add|set|append|merge|unset\" matchList=\"$$match-list-name$$\"\u003e$$header-value$$\u003c/header\u003e\n    \t\t\u003c/requestHeaders\u003e\n    \t\t\u003cresponseheaders\u003e \u003c!-- array of header --\u003e\n        \t\t\u003cheader name=\"$$header-name$$\" do=\"add|set|append|merge|unset\" matchList=\"$$match-list-name$$\"\u003e$$header-value$$\u003c/header\u003e\n    \t\t\u003c/responseheaders\u003e\n\t\t\t\u003coidcProvider\u003e$$unique identifier of oidcProvider as defined in oidcProviders$$\u003c/oidcProvider\u003e\n\t\t\t\u003crelyingParty\u003e$$unique identifier of RelyingParry as defined in relyingParties$$\u003c/relyingParty\u003e                                 \n        \u003c/action\u003e                                                     \n    \u003c/oidcActions\u003e\u003c!-- end of page-actions --\u003e\n\n    \u003c!-- matchLists are collection of individual matchList --\u003e\n    \u003c!-- matchList is collection of individual matches evaluates as match1 OR match2 OR match3 ...  --\u003e\n    \u003c!-- match is collection of individual conditions evaluates as host AND ip AND event AND header1 AND heder2 AND env1 ... --\u003e\n    \u003cmatchLists\u003e  \u003c!-- start of match-lists --\u003e\n       \u003c!-- matchList returns true upon first match ie.evaluates condition as match1 OR match2 OR ... --\u003e\n       \u003cmatchList name=\"$$matchlist-name1$$\"\u003e\n       \t    \u003c!-- match return true if all elements matches ie.evaluates condition as host AND ip AND header1 AND header2 ... --\u003e\n       \t    \u003c!-- Any unspecified tag in match is considered matched ie if unspecified host matches all host  --\u003e\n            \u003cmatch host=”$$host-name-regex$$”\u003e\n                \u003chost\u003e$$host-name-regex$$\u003c/host\u003e \u003c!-- string --\u003e\n            \t\u003cip isregex=\"true/false\" negate=\"true/false\"\u003e$$client-ip-address-regex-or-string$$\u003c/ip\u003e \u003c!-- string --\u003e\n            \t\u003cpath negate=\"true/false\"\u003e$$path-regex-or-string$$\u003c/path\u003e \u003c!-- string --\u003e\n            \t\u003cevent start=\"$$start-time$$\" end=\"$$end-time$$\" /\u003e \u003c!-- date time string ddd mmm MM HH:MM:SS YYYY format --\u003e\n                \u003cheader name=\"$$header-name1$$\" isregex=\"$$true/false$$\" negate=$$true/false$$ delimAnd=\"$$delimitor$$\" \u003e$$header-value1$$\u003c/header\u003e \n                \u003cheader name=\"$$header-name2$$\" isregex=\"$$true/false$$\" negate=$$true/false$$ delimAnd=\"$$delimitor$$\" \u003e$$header-value2$$\u003c/header\u003e\n                .\t.\t. \n            \u003c/match\u003e\n            \u003cmatch\u003e \u003c!-- match2 --\u003e\n            \u003c/match\u003e\n            \u003cmatch\u003e \u003c!-- match3 --\u003e\n            \u003c/match\u003e\n        \u003c/matchList\u003e\n       \u003cmatchList name=\"$$matchlist-name1$$\"\u003e\n            \u003cmatch host=”$$host-name$$”\u003e \n                \u003cheader name=\"$$header-name1$$\"\u003e$$header-value1$$\u003c/header\u003e \n                \u003cheader name=\"$$header-name2$$\"\u003e$$header-value2$$\u003c/header\u003e\n                .\t.\t. \n            \u003c/match\u003e \n        \u003c/matchList\u003e\n        .\t.\t.\n    \u003c/matchLists\u003e\n\t\n    \u003c!-- locations are collection of individual mappings --\u003e\n    \u003c!-- mappings is associated to source path and list of actions to choose  --\u003e\n    \u003clocations\u003e \u003c!-- array --\u003e\n\t\t\u003c!-- nginx authz handlers to verify oidc information, mainly for debug purpose --\u003e\n\t    \u003clocation path=\"^/oidc/version\"\u003e\u003coidcAction\u003eoidc_version\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003clocation path=\"^/oidc/config-status\"\u003e\u003coidcAction\u003eoidc_config_core_status\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003clocation path=\"^/oidc/rewrite-pageactions\"\u003e\u003coidcAction\u003eoidc_rewrite_pageactions\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003clocation path=\"^/oidc/rewrite-actionmappings\"\u003e\u003coidcAction\u003eoidc_rewrite_actionmappings\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003clocation path=\"^/oidc/rewrite-match\"\u003e\u003coidcAction\u003eoidc_rewrite_match\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003clocation path=\"^/oidc/headers\"\u003e\u003coidcAction\u003eoidc_headers\u003c/oidcAction\u003e\u003c/location\u003e\t    \n\t    \u003clocation path=\"^/oidc\"\u003e\u003coidcAction\u003eoidc_index\u003c/oidcAction\u003e\u003c/location\u003e\n\t    \u003c!-- end of nginx authz--\u003e\n        \n        \u003clocation path=\"$$source-path-regex$$\" matchLists=\"$$comma separated list of matchList$$\" ignoreCase=\"true/false\"\u003e\n                \u003coidcAction matchList=$$matchlist to select this action$$\u003eone of the action in above actions-list-1\u003c/oidcAction\u003e\n                \u003coidcAction matchList=$$matchlist to select this action$$\u003eone of the action in above actions-list-2\u003c/oidcAction\u003e\n                .\t.\t.\n                \u003coidcAction\u003elast action, its default action if above action don't match\u003c/oidcAction\u003e\n        \u003c/location\u003e\n\t\t.\t.\t.                                                                 \n    \u003c/locations\u003e \u003c!-- end of locations --\u003e\n\u003c/oidcConfig\u003e\n\n```\n\n**mapping** source url \n- **path**  specifies uri patterns match on source uri\n\n- **oidcAction** specifies action taken in authorization where it can use all the x-oidc-* headers avaiable in the request\n\n- **matchLists** specifies the condition\n\n**action** target action on source url\n- **description** specifies what action is all about in couple of words\n\n- **isForward**  specifies internal forwared/redirect if set to true\n- **isLoginRedirect**  specifies initial authorize request to OP meaning automatically adds state=CURRENT_URI and nonce=CSRF_AND_ID_TOKEN_REPLAY protection in initial request\n- **uri** specifies the target url which can be generated from source url\n- **advancedTemplate** specifies advanced usage to generate target url using various kind of format.\n  Target url : \u003curi\u003ehttp://hostname:port/myurl/%{format}\u003cformat-tag\u003e\u003c/uri\u003e\n\nFollowing format-tags are supported.\n\n               'r', requestVariables, \n               's', serverVariables,\n               'c', requestCookie, \n               'u', urlDecodeToken, \n               'U', urlEncodeToken, \n               'q', requestQuery\n\nDevelopment\n------------\n\n- Source hosted at [GitHub](https://github.com/tarachandverma/nginx-openidc)\n- Report issues, questions, feature requests on [GitHub Issues](https://github.com/tarachandverma/nginx-openidc/issues)\n\nDiagnostics\n---------------------\n\n- Log file path\n-  \tStartup log - \u003chomeDir\u003e/oidc-refresh.log\n\n\nRelated open source (OpenID connect Provider)\n---------------------------------------------\nhttps://github.com/tarachandverma/easy-oidc-provider\n\t\nAuthors\n-------\n\n[Tara chand Verma]\n\n* * *\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarachandverma%2Fnginx-openidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftarachandverma%2Fnginx-openidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarachandverma%2Fnginx-openidc/lists"}