kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Add PKCE, Scopes, and Logout Redirect URL Support to the OIDC Policy

Open writemike opened this issue 4 years ago • 10 comments

Is your feature request related to a problem? Please describe:
To have feature parity with the NGINX Plus OIDC Reference Implementation I would like to see a key/value pair added to the OIDC Policy declaration to include enabling PKCE, updating scopes, and adding a Logout Redirect URL.

Describe the solution you'd like:
I would like to see a key/value pair added to the OIDC Policy declaration to include enabling PKCE ($oidc_pkce_enable 1), updating scopes ($oidc_scopes), and adding a Logout Redirect URL ($oidc_logout_redirect).

Describe alternatives you've considered:
Not sure if we could use Server/Location Snippets to meet this requirement with the map directives in the openid_connect_configuration.conf file.

Additional context:
PKCE could be automatically marked true (Implemented) if the clientSecret value is left blank, unless there is a use case where both would be needed? Scopes and Logout URI would use the defaults if not updated and therefore be optional.

Some more detail, I'm looking more for feature parity with this OIDC Reference Implementation which looks like the same implementation added to the latest version of KIC (If you exec into the KIC pod and look in the /etc/nginx/oidc folder, you will see the same code used). We are just missing these 3x variables to make the 2 solutions equivalent. All the code is already in /etc/nginx/oidc, on KIC, but these 3x variables ($oidc_pkce_enable, $oidc_scopes, and $oidc_logout_redirect) were not included in the OIDC Policy configuration which is what I am asking about.


writemike avatar Jul 27 '21 08:07 writemike

Hi @writemike thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

github-actions[bot] avatar Jul 27 '21 08:07 github-actions[bot]

The most complete OIDC example that I have seen is here: https://github.com/magicalyak/ansible-role-nginx-ingress-oidc But that is not the same as being a first class citizen in the policy

brianehlert avatar Jul 27 '21 22:07 brianehlert

Some more detail, I'm looking more for feature parity with this OIDC Reference Implementation which looks like the same implementation added to the latest version of KIC (If you exec into the KIC pod and look in the /etc/nginx/oidc folder, you will see the same code used). We are just missing these 3x variables to make the 2 solutions equivalent. All the code is already in /etc/nginx/oidc, on KIC, but these 3x variables ($oidc_pkce_enable, $oidc_scopes, and $oidc_logout_redirect) were not included in the OIDC Policy configuration which is what I am asking about.

writemike avatar Jul 28 '21 00:07 writemike

OIDC Policy supports only a subset of options: https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#oidc

This is a reflection of not keeping up to date with updates to the OIDC reference implementation.

brianehlert avatar Jun 22 '23 23:06 brianehlert

Custom scopes are supported with: https://github.com/nginxinc/kubernetes-ingress/pull/3863

brianehlert avatar Jun 22 '23 23:06 brianehlert