feat: advanced example of proxy server

Author: shawnhankim

README.md

@@ -161,7 +161,7 @@ Manual configuration involves reviewing the following files so that they match y
   - Set a unique value for `$oidc_hmac_key` to ensure nonce values are unpredictable
   - If NGINX Plus is deployed behind another proxy or load balancer, modify the `map…$redirect_base` and `map…$proto` blocks to define how to obtain the original protocol and port number.
 
-- **frontend.conf, frontend_backend_sample_v2.conf** - this of reverse proxy configuration
+- **frontend.conf** - this of reverse proxy configuration
 
   - Modify the upstream group to match your backend site or app
   - Configure the preferred listen port and [enable SSL/TLS configuration](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)
@@ -170,8 +170,9 @@ Manual configuration involves reviewing the following files so that they match y
 
   > Note:
   >
-  > - Sample 1. frontend.conf: landing page starts OIDC flow without a login/logout button
-  > - Sample 2. frontend_backend_sample_v2.conf
+  > - 1. Basic Example. Landing page starts OIDC flow without a login button
+  >
+  > - 2. Advanced Example. Landing page, login/logout button to start/finish OIDC workflow
   >   - Landing page with `login` button
   >   - `login` button to start OIDC flow by validating `id token` with the JWK of IdP.
   >   - Landing page calls the `/userinfo` endpoint to show user information by validating `access token` with the JWK of IdP.

docker/build-context/nginx/nginx.conf

@@ -23,7 +23,6 @@ http {
     keepalive_timeout   65;
 
     include conf.d/openid_connect_configuration.conf;
-    include conf.d/frontend_backend_sample_v2.conf;
     include conf.d/frontend.conf;
     include sample/proxy_server_frontend.conf;
     include sample/proxy_server_backend.conf;

docs/01-oidc-local-test.md

@@ -188,7 +188,7 @@ Update the NGINX Plus configuration file if you want. Otherwise, skip the follow
 
   > Note:
   >
-  > - In the [`frontend_backend_sample_v2.conf`](../frontend_backend_sample_v2.conf), you can add additional API endpoints like:
+  > - In the [`frontend.conf`](../frontend.conf), you can add additional API endpoints like:
   >
   >   ```nginx
   >   location /v1/api/example {

frontend.conf

@@ -1,3 +1,16 @@
+# -----------------------------------------------------------------------------#
+#                                                                              #
+#        Sample Reverse Proxy Configuration: Frontend Site, Backend App        #
+#                       (for Open ID Connect workflow)                         #
+#                                                                              #
+# -----------------------------------------------------------------------------#
+
+# -----------------------------------------------------------------------------#
+#                                                                              #
+# 1. Basic Example: Landing page starts OIDC workflow w/o login/logout button. #
+#                                                                              #
+# -----------------------------------------------------------------------------#
+
 # This is the backend application we are protecting with OpenID Connect
 upstream my_backend {
     zone my_backend 64k;
@@ -33,4 +46,104 @@ server {
     }
 }
 
+# -----------------------------------------------------------------------------#
+#                                                                              #
+# 2. Advanced Example: Landing page, login/logout button to handle OIDC kflow  #
+#                                                                              #
+#  - Landing page shows 'login' button                                         #
+#  - 'login' button calls `/login` endpoint to start OIDC flow by validating 
+#    'id_token' w/ IdP's JWK.  #
+#  - Landing page calls `/userinfo` to show user info using 'access_token`.    #
+#  - 'logout' button to be finished OIDC session by IdP.                       #
+#  - API authorization by validating `access_token` w/ IdP's JWK               #
+#                                                                              #
+# -----------------------------------------------------------------------------#
+
+#
+# Upstream server for proxing to the frontend site.
+# - This is a bundle frontend app to locally test NGINX Plus OIDC workflow.
+#   + Sample: ./docker/build-context/nginx/sample/proxy_server_frontend.conf
+# - Modify this configuration to match your frontend site.
+#
+upstream my_frontend_site {
+    zone my_frontend_site 64k;
+    server 127.0.0.1:9091;
+}
+
+#
+# Upstream sample for proxing to the backend API server.
+# - This is a bundle backend app to locally test an API using access token.
+#   + Sample: ./docker/build-context/nginx/sample/proxy_server_backend.conf
+# - Modify this configuration to match your backend app.
+#
+upstream my_backend_app {
+    zone my_backend_app 64k;
+    server 127.0.0.1:9092;
+}
+
+#
+# Sample Frontend-site & backend-api-server for the OIDC workflow.
+#
+server {
+    # Enable when debugging is needed.
+    error_log  /var/log/nginx/error.log  debug; # Reduce severity level as required
+    access_log /var/log/nginx/access.log main;
+
+    # Replace the following server name with your host name.
+    #
+    # [Example: if you want to locally test OIDC in your laptop]
+    #  - Add '127.0.0.1 nginx.oidc.test` in your `/etc/hosts'.
+    #  - Use the command like 'make start'.
+    #  - Type 'https://nginx.oidc.test' in your browser.
+    #  - You will see the sample landing page and 'Sign In' button.
+    #
+    listen 8020; # Use SSL/TLS in production
+    server_name nginx.oidc.test;
+
+    # Replace the following files with your certificate.
+    ssl_certificate     /etc/ssl/nginx/nginx-repo.crt;
+    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;
+
+    # OIDC workflow
+    include conf.d/openid_connect.server_conf;  
+
+    #
+    # Frontend example:
+    #
+    #  - Default landing page: no need OIDC workflow to show 'Sign In' button.
+    #  - The site is protected with OpenID Connect(OIDC) by calling the API 
+    #    endpoint of `/login` when users click 'login' button.
+    #
+    location / {
+        proxy_pass http://my_frontend_site;
+        access_log /var/log/nginx/access.log main_jwt;
+    }
+
+    #
+    # Backend API example to interact with proxied backend service:
+    #
+    #  - This API resource is protected by access token which is received by IdP
+    #    after successful signing-in among the frontend site, NGINX Plus and IdP.
+    #
+    #  - To ensure that client requests access the API securely, access token is
+    #    used for API authorization.
+    #    + Most of IdP generate an access token for API authorization of IdP's
+    #      endpoints (like /userinfo) as well as customer's endpoints.
+    #    + But Azure AD generate two types of access token for API authorization
+    #      of Microsoft graph API endpoints and customers' endpoints.
+    #    + Therefore, we recommend that you use $session_jwt for Azure AD and
+    #      $access_token for most of IdPs such as Cognito, Auth0, Keycloak, Okta,
+    #      OneLogin, Ping Identity, etc as for now.
+    #
+    location /v1/api/example {
+        auth_jwt "" token=$access_token;      # Use $session_jwt for Azure AD
+        auth_jwt_key_request /_jwks_uri;      # Enable when using URL
+        #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename
+
+        proxy_set_header Authorization "Bearer $access_token";
+        proxy_pass http://my_backend_app;
+        access_log /var/log/nginx/access.log main_jwt;
+    }
+}
+
 # vim: syntax=nginx

frontend_backend_sample_v2.conf

@@ -82,7 +82,7 @@
         proxy_ssl_server_name on;             # For SNI to the IdP
         proxy_set_header Authorization "Bearer $access_token";
         proxy_pass       $oidc_userinfo_endpoint;
-        access_log /var/log/nginx/access.log oidc_jwt;
+        access_log /var/log/nginx/access.log main_jwt;
     }
 
     #
@@ -99,7 +99,7 @@
 
         # Redirect to the the original URI of UI after successful login to IDP.
         js_content oidc.redirectPostLogin;
-        access_log /var/log/nginx/access.log oidc_jwt;
+        access_log /var/log/nginx/access.log main_jwt;
     }
 
     #

openid_connect.server_conf

@@ -63,14 +63,14 @@ map $host $post_logout_return_uri {
     #              -> redirect to the '/' location block
     #            ./docker/build-context/content/index.html
     #
-    # default $redirect_base;
+    default $redirect_base;
 
     # Example 2: Redirect to a custom logout page
     #            ./docker/build-context/nginx/sample/proxy_server_frontend.conf
     #              -> redirect to the '/signout' location block
     #            ./docker/build-context/content/signout.html
     #
-    default $redirect_base/signout;
+    # default $redirect_base/signout;
 
     # Example 3: Redirect to an another URL
     # default https://www.nginx.com;