Request For Enhancement - encrypting values of cookies using a shared secret

[nergalex]

Hi,

In order to host nginx-openid-connect based instances in a F5 Distributed Cloud (XC) Customer Edge (site) multi-cluster (virtual site), as descibed in this solution, nginx-openid-connect should evolve to do not use shared sync zones. Because, each XC site has a different DNS domain.

An evolution could be to move from a shared state model to a shared nothing model by modifying the nginx-openid-connect project to:

• Remove the keyval zones currently used to store ID Tokens, Refresh Tokens, Access Tokens.
• Instead, these tokens, will be stored in cookies return to the client, replacing auth_token cookie (and friends).
• The cookie will be encrypted by NGINX(njs) using a user-defined shared secret (in the nginx configuration) before dispatch so that only NGINX (njs) may read the actual token within each cookie.
• We may optionally compress the tokens prior to encryption also if size is a concern (also with njs).
• We receive these cookies from the user ever request just like auth_token cookie.
• Remove/swich out these keyval defined variables to now be js_set functions, which lazy decode each token as and when needed using the shared secret.

As an aside, this method of encrypting values of cookies using a shared secret is somewhat similar to how NGINX App Protect implements enforcer cookies without shared state (beyond the encryption / signing key).

The only shared dependency in this solution is the encryption key, which can be static / semi-static, so there is no need longer a need for zone-sync.