Skip to content

Update template for custom redirect URI #7853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 4, 2025
Merged

Update template for custom redirect URI #7853

merged 8 commits into from
Jun 4, 2025

Conversation

vepatel
Copy link
Contributor

@vepatel vepatel commented May 29, 2025
edited
Loading

Proposed changes

Policy:

Spec:
  Oidc:
    Access Token Enable:   true
    Auth Endpoint:         https://keycloak.example.com/realms/master/protocol/openid-connect/auth
    Client ID:             nginx-plus
    Client Secret:         oidc-secret
    End Session Endpoint:  https://keycloak.example.com/realms/master/protocol/openid-connect/logout
    Jwks URI:              http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs
    Redirect URI:          /_test
    Scope:                 openid+profile+email
    Token Endpoint:        http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token
Status:
  Message:  Policy default/oidc-policy was added or updated
  Reason:   AddedOrUpdated
  State:    Valid

nginx conf:

server {
    listen 80;
    listen [::]:80;

    server_name webapp.example.com;
    status_zone webapp.example.com;
    set $resource_type "virtualserver";
    set $resource_name "webapp";
    set $resource_namespace "default";
    include oidc/oidc.conf;

    set $oidc_pkce_enable 0;
    set $oidc_logout_redirect "/_logout";
    set $oidc_hmac_key "webapp";
    set $zone_sync_leeway 200;

    set $oidc_authz_endpoint "https://keycloak.example.com/realms/master/protocol/openid-connect/auth";
    set $oidc_authz_extra_args "";
    set $oidc_token_endpoint "http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token";
    set $oidc_end_session_endpoint "https://keycloak.example.com/realms/master/protocol/openid-connect/logout";
    set $oidc_jwt_keyfile "http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs";
    set $oidc_scopes "openid+profile+email";
    set $oidc_client "nginx-plus";
    set $oidc_client_secret "<SECRET>";
    set $redir_location "/_test";
    # Custom OIDC redirect location based on policy redirectURI
    location = /_test {
        status_zone "OIDC code exchange";
        js_content oidc.codeExchange;
        error_page 500 502 504 @oidc_error;
    }
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate $secret_dir_path/default-tls-secret;
    ssl_certificate_key $secret_dir_path/default-tls-secret;
    if ($scheme = 'http') {
        return 301 https://$host$request_uri;
    }

    server_tokens "on";

    location / {
        set $service "webapp-svc";
        status_zone "webapp-svc";
        auth_jwt "" token=$session_jwt;
        error_page 401 = @do_oidc_flow;
        auth_jwt_key_request /_jwks_uri;proxy_set_header username $jwt_claim_sub;
        proxy_set_header Authorization "Bearer $access_token";
        set $default_connection_header close;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        client_max_body_size 1m;

        proxy_buffering on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $vs_connection_header;
        proxy_pass_request_headers on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host "$host";
        proxy_pass http://vs_default_webapp_webapp;
        proxy_next_upstream error timeout;
        proxy_next_upstream_timeout 0s;
        proxy_next_upstream_tries 0;
    }
  }

Screenshot 2025-05-29 at 16 45 31

https://keycloak.example.com/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email&client_id=nginx-plus&redirect_uri=https://webapp.example.com:443/_test

Screenshot 2025-05-29 at 16 46 18

Screenshot 2025-05-29 at 16 47 28

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@vepatel
Update with custom redirect URI
1d52f71 
Signed-off-by: Venktesh Shivam Patel <ve.patel@f5.com>
@vepatel vepatel requested a review from a team as a code owner May 29, 2025 15:48
@github-actions github-actions bot added the bug An issue reporting a potential bug label May 29, 2025
@codecov Codecov
Copy link

codecov bot commented May 29, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.47%. Comparing base (552f353) to head (e68be13).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #7853   +/-   ##
=======================================
  Coverage   52.47%   52.47%           
=======================================
  Files          90       90           
  Lines       21550    21550           
=======================================
  Hits        11308    11308           
  Misses       9773     9773           
  Partials      469      469

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions github-actions bot added the go Pull requests that update Go code label May 29, 2025
@vepatel vepatel requested a review from pdabelf5 May 30, 2025 11:32
@vepatel vepatel merged commit 2c08bea into main Jun 4, 2025
84 checks passed
@vepatel vepatel deleted the fix/oidc-redirect branch June 4, 2025 09:41
@AlexFenlon AlexFenlon removed the go Pull requests that update Go code label Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexFenlon AlexFenlon AlexFenlon approved these changes

@pdabelf5 pdabelf5 pdabelf5 approved these changes

Assignees
No one assigned
Labels
bug An issue reporting a potential bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: enabling OIDC redirectURI with custom location in policy breaks the flow
3 participants
@vepatel @AlexFenlon @pdabelf5