Questions about [NginxPlus + nginx-openid-connect] proxy use on the intranet

[jiruisong]

Hello

Our company is intended [NginxPlus + nginx-openid-connect] to be used in the intranet

The following problem arises

errorlog:
「503 login.microsoftonline.com could not be resolved」
「js: OIDC unexpected response from IdP when sending authorization code (HTTP 502). 」

Question：

1. Is there a setting like "OIDCOutgoingProxy" in NginxPlus or in nginx-openid-connect module? (Apache+OIDC has such a configuration parameter)

2. Why NginxPlus cannot analyze "login.microsoftonline.com"? Error log: "503 login.microsoftonline.com could not be resolved".

thanks a lot

[route443]

Hi @jiruisong ,

1. If your environment requires the use of a tunneling proxy server when communicating between the NGINX and the identity provider (login.microsoftonline.com), then no, we don't support this.

2. Based on this error message, it's hard for me to say what the root cause is. If you are sure that the DNS server specified in the resolver directive is functioning as expected and can successfully resolve the "login.microsoftonline.com" fqdn, try disabling the IPv6 address lookup (the ipv6=off parameter can be specified), this may help in some cases. In any case, this error has nothing to do with "nginx-openid-connect" module, so if the problem persists, you can contact NGINX Plus support using the appropriate channels.

[souravGuptaSg]

Hi @jiruisong ,
Same issue is being faced by my team on configuring OIDC in nginx plus with IDP (using Auth Zero),
Did you get any solution over it? It would be helpful if you could share the same

[llomgui]

Hello @jiruisong @souravGuptaSg,

Did you find a solution?

About the resolver, I added a configmap to fix the issue:

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
  namespace: nginx-ingress
data:
  resolver-addresses: dns-default.openshift-dns.svc.cluster.local

About the proxy, I could not find it yet.

[route443]

At the moment neither njs (neither through fetch nor through subrequest) supports the HTTP CONNECT method. I think we can re-evaluate this once such functionality is added either to njs or to nginx.