diff --git a/Dockerfile b/Dockerfile index 3788687..5adaf05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ MAINTAINER Hans Kristian Flaatten ENV \ SESSION_VERSION=2.22 \ HTTP_VERSION=0.12 \ - OPENIDC_VERSION=1.6.1 \ + OPENIDC_VERSION=1.7.3 \ JWT_VERSION=0.2.0 \ HMAC_VERSION=989f601acbe74dee71c1a48f3e140a427f2d03ae diff --git a/README.md b/README.md index a0ad90e..e6a0927 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ environment variables is used in this image: * `OID_DISCOVERY`: OpenID provider well-known discovery URL * `OID_CLIENT_ID`: OpenID Client ID * `OID_CLIENT_SECRET`: OpenID Client Secret +* `OID_USE_PKCE`: Enable PKCE (`true` or `false`, default is `false`) * `OIDC_AUTH_METHOD`: OpenID Connect authentication method (`client_secret_basic` or `client_secret_post`) * `OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY`: Enable silent renew of access token (`true` or `false`) diff --git a/docker-compose.yaml b/docker-compose.yaml index b98e3ed..6e06e32 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -28,6 +28,7 @@ services: - OID_DISCOVERY=http://192.168.99.100:8080/auth/realms/master/.well-known/openid-configuration - OID_CLIENT_ID=proxy - OID_CLIENT_SECRET=dee59d02-b1a9-455a-bd3c-38d2e060bf0f + - OID_USE_PKCE=true - PROXY_HOST=192.168.99.100 - PROXY_PORT=8383 diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf index 01c0530..94eaf09 100644 --- a/nginx/conf/nginx.conf +++ b/nginx/conf/nginx.conf @@ -13,6 +13,7 @@ env OID_DISCOVERY; env OID_CLIENT_ID; env OID_CLIENT_SECRET; env OID_REDIRECT_PATH; +env OID_USE_PKCE; env OIDC_AUTH_SCOPE; env OIDC_AUTH_METHOD; env OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY; diff --git a/nginx/lua/auth.lua b/nginx/lua/auth.lua index 5ddad93..c47127c 100644 --- a/nginx/lua/auth.lua +++ b/nginx/lua/auth.lua @@ -8,6 +8,7 @@ local opts = { renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY") ~= "false" and os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false", scope = os.getenv("OIDC_AUTH_SCOPE") or "openid", iat_slack = 600, + use_pkce = os.getenv("OID_USE_PKCE") == "true" } -- call authenticate for OpenID Connect user authentication @@ -22,6 +23,7 @@ ngx.log(ngx.INFO, ", session.data.authenticated=", session.data.authenticated, ", opts.force_reauthorize=", opts.force_reauthorize, ", opts.renew_access_token_on_expiry=", opts.renew_access_token_on_expiry, + ", opts.use_pkce=", opts.use_pkce, ", try_to_renew=", try_to_renew, ", token_expired=", token_expired )