Merge pull request #18 from R0Wi/feature/support_pkce

Add PKCE support
evry · Nov 7, 2022 · fea266c · fea266c
2 parents 9b5150b + 30d9ecc
commit fea266c
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ MAINTAINER Hans Kristian Flaatten <[email protected]>
 ENV \
  SESSION_VERSION=2.22 \
  HTTP_VERSION=0.12 \
- OPENIDC_VERSION=1.6.1 \
+ OPENIDC_VERSION=1.7.3 \
  JWT_VERSION=0.2.0 \
  HMAC_VERSION=989f601acbe74dee71c1a48f3e140a427f2d03ae
 

diff --git a/README.md b/README.md
@@ -26,6 +26,7 @@ environment variables is used in this image:
 * `OID_DISCOVERY`: OpenID provider well-known discovery URL
 * `OID_CLIENT_ID`: OpenID Client ID
 * `OID_CLIENT_SECRET`: OpenID Client Secret
+* `OID_USE_PKCE`: Enable PKCE (`true` or `false`, default is `false`)
 * `OIDC_AUTH_METHOD`: OpenID Connect authentication method (`client_secret_basic` or `client_secret_post`)
 * `OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY`: Enable silent renew of access token (`true` or `false`)
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -28,6 +28,7 @@ services:
       - OID_DISCOVERY=http://192.168.99.100:8080/auth/realms/master/.well-known/openid-configuration
       - OID_CLIENT_ID=proxy
       - OID_CLIENT_SECRET=dee59d02-b1a9-455a-bd3c-38d2e060bf0f
+      - OID_USE_PKCE=true
 
       - PROXY_HOST=192.168.99.100
       - PROXY_PORT=8383

diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
@@ -13,6 +13,7 @@ env OID_DISCOVERY;
 env OID_CLIENT_ID;
 env OID_CLIENT_SECRET;
 env OID_REDIRECT_PATH;
+env OID_USE_PKCE;
 env OIDC_AUTH_SCOPE;
 env OIDC_AUTH_METHOD;
 env OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY;

diff --git a/nginx/lua/auth.lua b/nginx/lua/auth.lua
@@ -8,6 +8,7 @@ local opts = {
     renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY") ~= "false" and os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false",
     scope = os.getenv("OIDC_AUTH_SCOPE") or "openid",
     iat_slack = 600,
+    use_pkce = os.getenv("OID_USE_PKCE") == "true"
 }
 
 -- call authenticate for OpenID Connect user authentication
@@ -22,6 +23,7 @@ ngx.log(ngx.INFO,
   ", session.data.authenticated=", session.data.authenticated,
   ", opts.force_reauthorize=", opts.force_reauthorize,
   ", opts.renew_access_token_on_expiry=", opts.renew_access_token_on_expiry,
+  ", opts.use_pkce=", opts.use_pkce,
   ", try_to_renew=", try_to_renew,
   ", token_expired=", token_expired
 )