Sync changes from OIDC repo

nginx · May 12, 2022 · 337f1ee · 337f1ee
1 parent bf0e5ba
commit 337f1ee
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 7 deletions.
diff --git a/internal/configs/oidc/oidc.conf b/internal/configs/oidc/oidc.conf
@@ -8,7 +8,7 @@
 
     location = /_jwks_uri {
         internal;
-        proxy_cache jwk;                              # Cache the JWK Set received from IdP
+        proxy_cache jwk;                              # Cache the JWK Set recieved from IdP
         proxy_cache_valid 200 12h;                    # How long to consider keys "fresh"
         proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
         proxy_ssl_server_name on;                     # For SNI to the IdP

diff --git a/internal/configs/oidc/oidc_common.conf b/internal/configs/oidc/oidc_common.conf
@@ -13,14 +13,19 @@ map $http_x_forwarded_proto $proto {
     default $http_x_forwarded_proto;
 }
 
+# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
 proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
+
+# Change timeout values to at least the validity period of each token type
 keyval_zone zone=oidc_id_tokens:1M timeout=1h sync;
 keyval_zone zone=refresh_tokens:1M timeout=8h sync;
+#keyval_zone zone=oidc_pkce:128K timeout=90s sync; # Temporary storage for PKCE code verifier.
 
 keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens;   # Exchange cookie for JWT
 keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
 keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation
 keyval $request_id $new_refresh zone=refresh_tokens; # ''
+#keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
 
 auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
 js_import oidc from oidc/openid_connect.js;
diff --git a/internal/configs/oidc/openid_connect.js b/internal/configs/oidc/openid_connect.js
@@ -7,7 +7,30 @@ var newSession = false; // Used by oidcAuth() and validateIdToken()
 
 export default { auth, codeExchange, validateIdToken, logout };
 
-function auth(r) {
+function retryOriginalRequest(r) {
+    delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
+    r.internalRedirect(r.variables.uri + r.variables.is_args + (r.variables.args || ''));
+}
+
+// If the ID token has not been synced yet, poll the variable every 100ms until
+// get a value or after a timeout.
+function waitForSessionSync(r, timeLeft) {
+    if (r.variables.session_jwt) {
+        retryOriginalRequest(r);
+    } else if (timeLeft > 0) {
+        setTimeout(waitForSessionSync, 100, r, timeLeft - 100);
+    } else {
+        auth(r, true);
+    }
+}
+
+function auth(r, afterSyncCheck) {
+    // If a cookie was sent but the ID token is not in the key-value database, wait for the token to be in sync.
+    if (r.variables.cookie_auth_token && !r.variables.session_jwt && !afterSyncCheck && r.variables.zone_sync_leeway > 0) {
+        waitForSessionSync(r, r.variables.zone_sync_leeway);
+        return;
+    }
+
     if (!r.variables.refresh_token || r.variables.refresh_token == "-") {
         newSession = true;
 
@@ -83,14 +106,12 @@ function auth(r) {
                         r.variables.session_jwt = tokenset.id_token; // Update key-value store
 
                         // Update refresh token (if we got a new one)
-                        // 12.2021 - In rare cases the IdP does not include the refresh-token in the response. The rt will be undefined in this case.
-                        if (r.variables.refresh_token != tokenset.refresh_token && tokenset.refresh_token != undefined) {
+                        if (r.variables.refresh_token != tokenset.refresh_token) {
                             r.log("OIDC replacing previous refresh token (" + r.variables.refresh_token + ") with new value: " + tokenset.refresh_token);
                             r.variables.refresh_token = tokenset.refresh_token; // Update key-value store
                         }
 
-                        delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
-                        r.internalRedirect(r.variables.request_uri); // Continue processing original request
+                        retryOriginalRequest(r); // Continue processing original request
                     }
                 );
             } catch (e) {
@@ -104,7 +125,7 @@ function auth(r) {
 
 function codeExchange(r) {
     // First check that we received an authorization code from the IdP
-    if (r.variables.arg_code.length == 0) {
+    if (r.variables.arg_code == undefined || r.variables.arg_code.length == 0) {
         if (r.variables.arg_error) {
             r.error("OIDC error receiving authorization code from IdP: " + r.variables.arg_error_description);
         } else {

diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl
@@ -71,6 +71,7 @@ server {
     include oidc/oidc.conf;
 
     set $oidc_pkce_enable 0;
+    set $zone_sync_leeway 0;
     set $oidc_logout_redirect "/_logout";
     set $oidc_hmac_key "{{ $s.VSName }}";