feat: add intercept error enable and fix checking OIDC config data

fix: compare OIDC option to enable access token and intercepting error

fix: revert

Author: shawnhankim

deployments/common/crds/k8s.nginx.org_policies.yaml

@@ -136,6 +136,8 @@ spec:
                       type: integer
                     accessTokenEnable:
                       type: boolean
+                    interceptErrorEnable:
+                      type: boolean
                 rateLimit:
                   description: RateLimit defines a rate limit policy.
                   type: object

deployments/helm-chart/crds/k8s.nginx.org_policies.yaml

@@ -136,6 +136,8 @@ spec:
                       type: integer
                     accessTokenEnable:
                       type: boolean
+                    interceptErrorEnable:
+                      type: boolean
                 rateLimit:
                   description: RateLimit defines a rate limit policy.
                   type: object

docs/content/configuration/policy-resource.md

@@ -357,6 +357,7 @@ spec:
     tokenEndpoint: https://idp.example.com/openid-connect/token
     jwksURI: https://idp.example.com/openid-connect/certs
     accessTokenEnable: true
+    interceptErrorEnable: false
 ```
 
 NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP header `username`.
@@ -388,6 +389,8 @@ The OIDC policy defines a few internal locations that can't be customized: `/_jw
 |``zoneSyncLeeway`` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is ``200``. | ``int`` | No |
 |``accessTokenEnable`` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | ``boolean`` | No |
 {{% /table %}}
+|``interceptErrorEnable`` | Option to intercept and redirect "401 Unauthorized" proxied responses to nginx for processing with the `error_page` directive to restart `@do_oidc_flow` if an access token can expire before ID token. | ``boolean`` | No |
+{{% /table %}}
 
 > **Note**: Only one OIDC policy can be referenced in a VirtualServer and its VirtualServerRoutes. However, the same policy can still be applied to different routes in the VirtualServer and VirtualServerRoutes.
 

examples/custom-resources/oidc/oidc.yaml

@@ -11,3 +11,4 @@ spec:
     jwksURI: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/certs
     scope: openid+profile+email
     accessTokenEnable: true
+    interceptErrorEnable: false

internal/configs/oidc/openid_connect.js

@@ -101,7 +101,7 @@ function auth(r, afterSyncCheck) {
                             return;
                         }
 
-                        // Update ID token and access token in the key-value store
+                        // ID Token is valid, update keyval
                         r.log("OIDC refresh success, updating id_token for " + r.variables.cookie_auth_token);
                         r.variables.session_jwt = tokenset.id_token;
                         if (tokenset.access_token) {

internal/configs/version2/http.go

@@ -111,16 +111,17 @@ type EgressMTLS struct {
 
 // OIDC holds OIDC configuration data.
 type OIDC struct {
-	AuthEndpoint      string
-	ClientID          string
-	ClientSecret      string
-	JwksURI           string
-	Scope             string
-	TokenEndpoint     string
-	RedirectURI       string
-	ZoneSyncLeeway    int
-	AuthExtraArgs     string
-	AccessTokenEnable bool
+	AuthEndpoint         string
+	ClientID             string
+	ClientSecret         string
+	JwksURI              string
+	Scope                string
+	TokenEndpoint        string
+	RedirectURI          string
+	ZoneSyncLeeway       int
+	AuthExtraArgs        string
+	AccessTokenEnable    bool
+	InterceptErrorEnable bool
 }
 
 // WAF defines WAF configuration.

internal/configs/version2/nginx-plus.virtualserver.tmpl

@@ -429,9 +429,13 @@ server {
         {{ $proxyOrGRPC }}_set_header username $jwt_claim_sub;
         {{ end }}
 
-        {{ if $s.OIDC.AccessTokenEnable }}
+        {{ with $oidc := $s.OIDC }}
+            {{ if $oidc.AccessTokenEnable }}
         {{ $proxyOrGRPC }}_set_header Authorization "Bearer $access_token";
+            {{ end }}
+            {{ if $oidc.InterceptErrorEnable }}
         {{ $proxyOrGRPC }}_intercept_errors on;
+            {{ end }}
         {{ end }}
 
         {{ with $l.WAF }}

internal/configs/virtualserver.go

@@ -1052,16 +1052,17 @@ func (p *policiesCfg) addOIDCConfig(
 		}
 
 		oidcPolCfg.oidc = &version2.OIDC{
-			AuthEndpoint:      oidc.AuthEndpoint,
-			AuthExtraArgs:     authExtraArgs,
-			TokenEndpoint:     oidc.TokenEndpoint,
-			JwksURI:           oidc.JWKSURI,
-			ClientID:          oidc.ClientID,
-			ClientSecret:      string(clientSecret),
-			Scope:             scope,
-			RedirectURI:       redirectURI,
-			ZoneSyncLeeway:    generateIntFromPointer(oidc.ZoneSyncLeeway, 200),
-			AccessTokenEnable: oidc.AccessTokenEnable,
+			AuthEndpoint:         oidc.AuthEndpoint,
+			AuthExtraArgs:        authExtraArgs,
+			TokenEndpoint:        oidc.TokenEndpoint,
+			JwksURI:              oidc.JWKSURI,
+			ClientID:             oidc.ClientID,
+			ClientSecret:         string(clientSecret),
+			Scope:                scope,
+			RedirectURI:          redirectURI,
+			ZoneSyncLeeway:       generateIntFromPointer(oidc.ZoneSyncLeeway, 200),
+			AccessTokenEnable:    oidc.AccessTokenEnable,
+			InterceptErrorEnable: oidc.InterceptErrorEnable,
 		}
 		oidcPolCfg.key = polKey
 	}

internal/configs/virtualserver_test.go

@@ -3136,15 +3136,16 @@ func TestGeneratePolicies(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							AuthEndpoint:      "http://example.com/auth",
-							TokenEndpoint:     "http://example.com/token",
-							JWKSURI:           "http://example.com/jwks",
-							ClientID:          "client-id",
-							ClientSecret:      "oidc-secret",
-							Scope:             "scope",
-							RedirectURI:       "/redirect",
-							ZoneSyncLeeway:    createPointerFromInt(20),
-							AccessTokenEnable: true,
+							AuthEndpoint:         "http://example.com/auth",
+							TokenEndpoint:        "http://example.com/token",
+							JWKSURI:              "http://example.com/jwks",
+							ClientID:             "client-id",
+							ClientSecret:         "oidc-secret",
+							Scope:                "scope",
+							RedirectURI:          "/redirect",
+							ZoneSyncLeeway:       createPointerFromInt(20),
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4253,11 +4254,12 @@ func TestGeneratePoliciesFails(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							ClientSecret:      "oidc-secret",
-							AuthEndpoint:      "http://foo.com/bar",
-							TokenEndpoint:     "http://foo.com/bar",
-							JWKSURI:           "http://foo.com/bar",
-							AccessTokenEnable: true,
+							ClientSecret:         "oidc-secret",
+							AuthEndpoint:         "http://foo.com/bar",
+							TokenEndpoint:        "http://foo.com/bar",
+							JWKSURI:              "http://foo.com/bar",
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4300,12 +4302,13 @@ func TestGeneratePoliciesFails(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							ClientID:          "foo",
-							ClientSecret:      "oidc-secret",
-							AuthEndpoint:      "https://foo.com/auth",
-							TokenEndpoint:     "https://foo.com/token",
-							JWKSURI:           "https://foo.com/certs",
-							AccessTokenEnable: true,
+							ClientID:             "foo",
+							ClientSecret:         "oidc-secret",
+							AuthEndpoint:         "https://foo.com/auth",
+							TokenEndpoint:        "https://foo.com/token",
+							JWKSURI:              "https://foo.com/certs",
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4316,12 +4319,13 @@ func TestGeneratePoliciesFails(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							ClientID:          "foo",
-							ClientSecret:      "oidc-secret",
-							AuthEndpoint:      "https://bar.com/auth",
-							TokenEndpoint:     "https://bar.com/token",
-							JWKSURI:           "https://bar.com/certs",
-							AccessTokenEnable: true,
+							ClientID:             "foo",
+							ClientSecret:         "oidc-secret",
+							AuthEndpoint:         "https://bar.com/auth",
+							TokenEndpoint:        "https://bar.com/token",
+							JWKSURI:              "https://bar.com/certs",
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4341,15 +4345,16 @@ func TestGeneratePoliciesFails(t *testing.T) {
 			context: "route",
 			oidcPolCfg: &oidcPolicyCfg{
 				oidc: &version2.OIDC{
-					AuthEndpoint:      "https://foo.com/auth",
-					TokenEndpoint:     "https://foo.com/token",
-					JwksURI:           "https://foo.com/certs",
-					ClientID:          "foo",
-					ClientSecret:      "super_secret_123",
-					RedirectURI:       "/_codexch",
-					Scope:             "openid",
-					ZoneSyncLeeway:    0,
-					AccessTokenEnable: true,
+					AuthEndpoint:         "https://foo.com/auth",
+					TokenEndpoint:        "https://foo.com/token",
+					JwksURI:              "https://foo.com/certs",
+					ClientID:             "foo",
+					ClientSecret:         "super_secret_123",
+					RedirectURI:          "/_codexch",
+					Scope:                "openid",
+					ZoneSyncLeeway:       0,
+					AccessTokenEnable:    true,
+					InterceptErrorEnable: false,
 				},
 				key: "default/oidc-policy-1",
 			},
@@ -4365,14 +4370,15 @@ func TestGeneratePoliciesFails(t *testing.T) {
 			},
 			expectedOidc: &oidcPolicyCfg{
 				oidc: &version2.OIDC{
-					AuthEndpoint:      "https://foo.com/auth",
-					TokenEndpoint:     "https://foo.com/token",
-					JwksURI:           "https://foo.com/certs",
-					ClientID:          "foo",
-					ClientSecret:      "super_secret_123",
-					RedirectURI:       "/_codexch",
-					Scope:             "openid",
-					AccessTokenEnable: true,
+					AuthEndpoint:         "https://foo.com/auth",
+					TokenEndpoint:        "https://foo.com/token",
+					JwksURI:              "https://foo.com/certs",
+					ClientID:             "foo",
+					ClientSecret:         "super_secret_123",
+					RedirectURI:          "/_codexch",
+					Scope:                "openid",
+					AccessTokenEnable:    true,
+					InterceptErrorEnable: false,
 				},
 				key: "default/oidc-policy-1",
 			},
@@ -4397,12 +4403,13 @@ func TestGeneratePoliciesFails(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							ClientSecret:      "oidc-secret",
-							AuthEndpoint:      "https://foo.com/auth",
-							TokenEndpoint:     "https://foo.com/token",
-							JWKSURI:           "https://foo.com/certs",
-							ClientID:          "foo",
-							AccessTokenEnable: true,
+							ClientSecret:         "oidc-secret",
+							AuthEndpoint:         "https://foo.com/auth",
+							TokenEndpoint:        "https://foo.com/token",
+							JWKSURI:              "https://foo.com/certs",
+							ClientID:             "foo",
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4413,12 +4420,13 @@ func TestGeneratePoliciesFails(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							ClientSecret:      "oidc-secret",
-							AuthEndpoint:      "https://bar.com/auth",
-							TokenEndpoint:     "https://bar.com/token",
-							JWKSURI:           "https://bar.com/certs",
-							ClientID:          "bar",
-							AccessTokenEnable: true,
+							ClientSecret:         "oidc-secret",
+							AuthEndpoint:         "https://bar.com/auth",
+							TokenEndpoint:        "https://bar.com/token",
+							JWKSURI:              "https://bar.com/certs",
+							ClientID:             "bar",
+							AccessTokenEnable:    true,
+							InterceptErrorEnable: false,
 						},
 					},
 				},
@@ -4446,15 +4454,16 @@ func TestGeneratePoliciesFails(t *testing.T) {
 			},
 			expectedOidc: &oidcPolicyCfg{
 				&version2.OIDC{
-					AuthEndpoint:      "https://foo.com/auth",
-					TokenEndpoint:     "https://foo.com/token",
-					JwksURI:           "https://foo.com/certs",
-					ClientID:          "foo",
-					ClientSecret:      "super_secret_123",
-					RedirectURI:       "/_codexch",
-					Scope:             "openid",
-					ZoneSyncLeeway:    200,
-					AccessTokenEnable: true,
+					AuthEndpoint:         "https://foo.com/auth",
+					TokenEndpoint:        "https://foo.com/token",
+					JwksURI:              "https://foo.com/certs",
+					ClientID:             "foo",
+					ClientSecret:         "super_secret_123",
+					RedirectURI:          "/_codexch",
+					Scope:                "openid",
+					ZoneSyncLeeway:       200,
+					AccessTokenEnable:    true,
+					InterceptErrorEnable: false,
 				},
 				"default/oidc-policy",
 			},

pkg/apis/configuration/v1/types.go

@@ -475,16 +475,17 @@ type EgressMTLS struct {
 
 // OIDC defines an Open ID Connect policy.
 type OIDC struct {
-	AuthEndpoint      string   `json:"authEndpoint"`
-	TokenEndpoint     string   `json:"tokenEndpoint"`
-	JWKSURI           string   `json:"jwksURI"`
-	ClientID          string   `json:"clientID"`
-	ClientSecret      string   `json:"clientSecret"`
-	Scope             string   `json:"scope"`
-	RedirectURI       string   `json:"redirectURI"`
-	ZoneSyncLeeway    *int     `json:"zoneSyncLeeway"`
-	AuthExtraArgs     []string `json:"authExtraArgs"`
-	AccessTokenEnable bool     `json:"accessTokenEnable"`
+	AuthEndpoint         string   `json:"authEndpoint"`
+	TokenEndpoint        string   `json:"tokenEndpoint"`
+	JWKSURI              string   `json:"jwksURI"`
+	ClientID             string   `json:"clientID"`
+	ClientSecret         string   `json:"clientSecret"`
+	Scope                string   `json:"scope"`
+	RedirectURI          string   `json:"redirectURI"`
+	ZoneSyncLeeway       *int     `json:"zoneSyncLeeway"`
+	AuthExtraArgs        []string `json:"authExtraArgs"`
+	AccessTokenEnable    bool     `json:"accessTokenEnable"`
+	InterceptErrorEnable bool     `json:"interceptErrorEnable"`
 }
 
 // WAF defines an WAF policy.