Add OIDC userinfo endpoint

Author: shawnhankim

README.md

@@ -102,6 +102,7 @@ When NGINX Plus is deployed behind another proxy, the original protocol and port
     * Obtain the URL for `jwks_uri` or download the JWK file to your NGINX Plus instance
     * Obtain the URL for the **authorization endpoint**
     * Obtain the URL for the **token endpoint**
+    * Obtain the URL for the **userinfo endpoint**
 
 ## Configuring NGINX Plus
 

configure.sh

@@ -120,7 +120,7 @@ fi
 # Build an intermediate configuration file
 # File format is: <NGINX variable name><space><IdP value>
 #
-jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
+jq -r '. | "$oidc_authz_endpoint \(.authorization_endpoint)\n$oidc_token_endpoint \(.token_endpoint)\n$oidc_jwks_uri \(.jwks_uri)\n$oidc_userinfo_endpoint \(.userinfo_endpoint)"' < /tmp/${COMMAND}_$$_json > /tmp/${COMMAND}_$$_conf
 
 # Create a random value for HMAC key, adding to the intermediate configuration file
 echo "\$oidc_hmac_key `openssl rand -base64 18`" >> /tmp/${COMMAND}_$$_conf
@@ -178,7 +178,7 @@ fi
 
 # Loop through each configuration variable
 echo "$COMMAND: NOTICE: Configuring $CONFDIR/openid_connect_configuration.conf"
-for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
+for OIDC_VAR in \$oidc_authz_endpoint \$oidc_token_endpoint \$oidc_jwt_keyfile \$oidc_userinfo_endpoint \$oidc_hmac_key $CLIENT_ID_VAR $CLIENT_SECRET_VAR $PKCE_ENABLE_VAR; do
 	# Pull the configuration value from the intermediate file
 	VALUE=`grep "^$OIDC_VAR " /tmp/${COMMAND}_$$_conf | cut -f2 -d' '`
 	echo -n "$COMMAND: NOTICE:  - $OIDC_VAR ..."

frontend.conf

@@ -40,6 +40,17 @@ server {
 
         access_log /var/log/nginx/access.log main_jwt;
     }
+
+    location = /foobar {
+        # This location is an example for User Agent to obtain requested claims
+        # about the End-User if necessary:
+        # - https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+        error_page 401 = @do_oidc_flow;
+        proxy_intercept_errors on;
+        proxy_ssl_server_name on;
+        proxy_set_header Authorization "Bearer $access_token";
+        proxy_pass $oidc_userinfo_endpoint;
+    }
 }
 
 # vim: syntax=nginx

openid_connect.server_conf

@@ -66,6 +66,26 @@
         error_page 500 502 504 @oidc_error;
     }
 
+    location = /userinfo {
+        # This location is to provide signed-in user information claims that are
+        # defined in $oidc_userinfo_required_claims.
+        default_type application/json;
+        if ($oidc_userinfo_required_claims = '') {
+            return 200 '{"name": "", "message":"details not provided per your policy"}';
+        }
+        js_content oidc.userInfo;
+    }
+
+    location = /_userinfo {
+        # This location is called by oidc.userInfo() when calling /userinfo
+        # to get signed-in user information from the OP:
+        # - https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+        internal;
+        proxy_ssl_server_name on;             # For SNI to the IdP
+        proxy_set_header Authorization "Bearer $access_token";
+        proxy_pass       $oidc_userinfo_endpoint;
+    }
+
     location = /logout {
         status_zone "OIDC logout";
         add_header Set-Cookie "auth_token=; $oidc_cookie_flags"; # Send empty cookie

openid_connect_configuration.conf

@@ -28,6 +28,10 @@ map $host $oidc_jwt_keyfile {
     default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs";
 }
 
+map $host $oidc_userinfo_endpoint {
+    default "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/userinfo";
+}
+
 map $host $oidc_client {
     default "my-client-id";
 }