Ivan Ovchinnikov

Hi @jiruisong , 1. If your environment requires the use of a tunneling proxy server when communicating between the NGINX and the identity provider (login.microsoftonline.com), then no, we don't support...

Hi @ag-TJNII, Thank you for your contribution to the nginx-openid-connect project. I appreciate the effort you've put into enhancing the security of the solution. However, I'm unable to accept this...

>How so? It prevents the session cookie from being sent to the upstream server. How does this not meet the stated objective? As stated in the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) documentation: "These directives...

Hi @ag-TJNII , Oh, thank you for such a detailed response. I truly appreciate the level of empathy with which you approached writing it. Although I no longer deploy solutions...

Hi @ag-TJNII and thank you for your contribution to our project and for paying attention to security-related aspects. However, I must decline this approach for the following reasons: 1. Performance....

Yes, I asked that question to ensure that we are on the same page regarding the understanding and nuances of security issues related to implementation. > In this implementation the...

Most old-school admins understand the NGINX security model quite well, which is based on the Unix approach to rights separation. In simple terms, there are two entities - the admin...

> This implementation requires the use of js_set for each call. I don't think there is a way around that. If there is a one-way function available in directly in...

I changed the default paths for the state file to align with the approach we use for SAML. (see PR #90)