oidc_frontend_backend.conf

# -----------------------------------------------------------------------------#
#                                                                              #
#               Sample Configuration: Frontend Site, Backend App               #
#                       (for Open ID Connect workflow)                         #
#                                                                              #
# -----------------------------------------------------------------------------#

# Custom log format to include the 'sub' claim in the REMOTE_USER field.
#
log_format oidc_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
                    '"$http_x_forwarded_for"';

# Sample upstream server for the frontend site.
#
upstream my_frontend_site {
    zone my_frontend_site 64k;
    server 127.0.0.1:9091;
}

# Sample upstream server for the backend app.
#
upstream my_backend_app {
    zone my_backend_app 64k;
    server 127.0.0.1:9092;
}

# Sample frontend/api server - proxy with OIDC workflow.
#
server {
    # Enable when debugging is needed
    error_log  /var/log/nginx/error.log  debug; # Reduce severity level as required
    access_log /var/log/nginx/access.log main;

    listen 443 ssl;
    server_name nginx.auth0.test;

    ssl_certificate     /etc/ssl/nginx/nginx-repo.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;

    # OIDC workflow
    include conf.d/openid_connect.server_conf;  

    # Frontend Example:
    #  - Default landing page: no need OIDC workflow to show 'login' button.
    #  - The site can be protected with OIDC after calling /login endpoint.
    #
    location / {
        proxy_pass http://my_frontend_site;
        access_log /var/log/nginx/access.log oidc_jwt;
    }

    # Backend App Example:
    #  - This is protected by session management not to be accessed by other
    #    user-agent, client IP and ID when $session_validation_enable is true.
    #  - It can be additionally protected by using token(s) that is(are) received
    #    by IDP after successful login from the frontend based on OIDC workflow.
    #
    location /v1/api/example {
        auth_jwt "" token=$session_jwt;
        auth_jwt_key_request /_jwks_uri;        # Enable when using URL

        proxy_set_header Authorization "Bearer $access_token";
        proxy_pass http://my_backend_app;
        access_log /var/log/nginx/access.log oidc_jwt;
    }
}

# vim: syntax=nginx