Liam Crilly

Hello. If I understand you correctly, you wish to control the expiration time of the id_token (JWT). This is part of your IdP configuration, not part of the NGINX Plus...

Please explain this in more detail. Why does Keycloak need to know which URI the end user requested?

Each application has a unique hostname (FQDN)? Is there a common domain name (*.foo.com)? Setting a unique redirect URI in Keycloak for each one is not practical?

Here is the relevant line from the error log 2021/12/08 16:29:25 [error] 21314#21314: *2 js: OIDC error from IdP when sending authorization code: invalid_client, Client authentication failed (e.g. unknown client,...

Thanks for reporting this. Will investigate.

Hello! How do you use this variable end-to-end? Presumably you also log this variable in the access log for correlation purposes? Or does it end up somewhere else?

Thanks for the extra context - that's really helpful. In this case, I suspect the Axway behavior is due to it's transformation features for things like JSON/XML conversion. It's a...

Hi Arturo, this use case is designed to be solved with https://github.com/nginx/unit/issues/732

This workaround isn't pretty but it might be helpful. https://www.nginx.com/blog/deploying-nginx-plus-as-an-api-gateway-part-2-protecting-backend-services/#request-bodies

`$upstream` is a user-defined variable to indicate the success target for a given location https://gist.github.com/nginx-gists/6a8e7c65fdc41bc955f7e67a1d475469#file-warehouse_api_jsonbody-conf-L15 With FastCGI you'll need a fastcgi_pass target to handle the requests that fail your auth...