diff --git a/openid_connect.js b/openid_connect.js index e4f2084..537a63b 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -48,7 +48,7 @@ function auth(r, afterSyncCheck) { return; } // Redirect the client to the IdP login page with the cookies we need for state - r.return(302, r.variables.oidc_authz_endpoint + getAuthZArgs(r)); + r.return(302, r.variables.oidc_authz_endpoint + getQueryParamsAuthZ(r)); return; } @@ -260,18 +260,19 @@ function logout(r) { r.return(302, r.variables.oidc_logout_redirect); } -function getAuthZArgs(r) { +function getQueryParamsAuthZ(r) { // Choose a nonce for this flow for the client, and hash it for the IdP var noncePlain = r.variables.request_id; var c = require('crypto'); var h = c.createHmac('sha256', r.variables.oidc_hmac_key).update(noncePlain); var nonceHash = h.digest('base64url'); - var authZArgs = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; + var queryParams = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; - if (r.variables.oidc_authz_extra_args) { - authZArgs += "&" + r.variables.oidc_authz_extra_args; + if (r.variables.oidc_authz_extra_query_params) { + queryParams += "&" + r.variables.oidc_authz_extra_query_params; } + r.variables.nonce_hash = nonceHash; r.headersOut['Set-Cookie'] = [ "auth_redir=" + r.variables.request_uri + "; " + r.variables.oidc_cookie_flags, "auth_nonce=" + noncePlain + "; " + r.variables.oidc_cookie_flags @@ -282,12 +283,13 @@ function getAuthZArgs(r) { r.variables.pkce_id = c.createHash('sha256').update(String(Math.random())).digest('base64url'); var pkce_code_challenge = c.createHash('sha256').update(pkce_code_verifier).digest('base64url'); r.variables.pkce_code_verifier = pkce_code_verifier; + r.variables.pkce_code_challenge = pkce_code_challenge; - authZArgs += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id; + queryParams += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id; } else { - authZArgs += "&state=0"; + queryParams += "&state=0"; } - return authZArgs; + return queryParams; } function idpClientAuth(r) { diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index e8a9759..b89782f 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -8,16 +8,15 @@ map $host $oidc_authz_endpoint { #www.example.com "https://my-idp/oauth2/v1/authorize"; } -map $host $oidc_authz_extra_args { - # Extra arguments to include in the request to the IdP's authorization +map $host $oidc_authz_extra_query_params { + # Extra query params to include in the request to the IdP's authorization # endpoint. - # Some IdPs provide extended capabilities controlled by extra arguments, + # Some IdPs provide extended capabilities controlled by extra query params, # for example Keycloak can select an IdP to delegate to via the # "kc_idp_hint" argument. - # Arguments must be expressed as query string parameters and URL-encoded - # if required. + # It must be expressed as query string params and URL-encoded if required. default ""; - #www.example.com "kc_idp_hint=another_provider" + #www.example.com "kc_idp_hint=another_provider"; } map $host $oidc_token_endpoint {