OIDC: option to pass access token as authorization header to upstream

[suedschwede]

I would like to configure OIDC in NGINX and pass the access token as authorization header to a backend application
At the moment it is only possible to pass jwt claims

[github-actions]

Hi @suedschwede thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this 🙂

Cheers!

[lucacome]

Hi @suedschwede

we use https://github.com/nginxinc/nginx-openid-connect under the hood. I would suggest opening an issue there.

[nixx]

I have the same issue. This is a blocker for using Nginx Ingress controller.

My case is slightly different. I need to pass the ID token to upstream. This is already supported in nginx-openid-connect.

I tried to add $session_jwt to a header through policies, but are denied as there is a whitelist at pkg/apis/validation/virtualserver.go:1094 (on the v2.2.2 tag).

Username is also hard coded in the template (nginx-plus.virtualserver.tmpl:363).

I´m able to add a workaround if I patch the code, but I would rather not.

In the longer run, I assume we also need to pass access token to upstream. Exposing tokens to upstream is a functionality most other similar software has, and this is a blocker for using Nginx Plus now.