NLB-6239: Update native oidc with protected file

Naveen-Gopu-F5 · Naveen-Gopu-F5 · commit 500692ede40a · 2025-09-25T17:41:36.000+05:30
diff --git a/terraform/configurations/native-oidc/README.md b/terraform/configurations/native-oidc/README.md
@@ -37,13 +37,14 @@ terraform destroy --auto-approve
 ## Notes
 
 - The deployment uses a self-signed certificate for demonstration. For production, use a certificate issued by a trusted CA.
-- OIDC configuration requires NGINX Plus R34 or later.
+- Native OIDC configuration requires NGINX Plus R35 or later.
 - For more details on how to configure the OIDC in NGINXaaS, please refer to the references below
    - https://docs.nginx.com/nginx/deployment-guides/single-sign-on/entra-id/
    - https://docs.nginx.com/nginxaas/azure/quickstart/runtime-state-sharing/
    - https://docs.nginx.com/nginx/releases/#r34
    - https://community.f5.com/kb/technicalarticles/f5-nginx-plus-r34-release-now-available/340300
    - https://nginx.org/en/docs/http/ngx_http_oidc_module.html
    - https://docs.nginx.com/nginxaas/azure/getting-started/ssl-tls-certificates/
+   - https://community.f5.com/kb/technicalarticles/f5-nginx-plus-r35-release-now-available/342962
 
 
diff --git a/terraform/configurations/native-oidc/main.tf b/terraform/configurations/native-oidc/main.tf
@@ -92,10 +92,18 @@ resource "azurerm_role_assignment" "example" {
 
 locals {
   nginx_config = templatefile("${path.module}/nginx.conf.tpl", {
-    issuer        = var.issuer
-    client_id     = var.client_id
-    client_secret = var.client_secret
-    resolver      = var.resolver
+    resolver = var.resolver
+  })
+
+  # Use provided post_logout_uri if specified, otherwise auto-generate using IP address
+  effective_post_logout_uri = var.post_logout_uri != "" ? var.post_logout_uri : "https://${azurerm_nginx_deployment.example.ip_address}/post_logout/"
+  
+  # Protected OIDC provider configuration with sensitive client secret
+  oidc_provider_config = templatefile("${path.module}/oidc-secrets.conf.tpl", {
+    issuer          = var.issuer
+    client_id       = var.client_id
+    client_secret   = var.client_secret
+    post_logout_uri = local.effective_post_logout_uri
   })
 }
 
@@ -143,6 +151,12 @@ resource "azurerm_nginx_configuration" "example" {
     virtual_path = "/etc/nginx/nginx.conf"
   }
 
+  # Protected configuration file containing the entire OIDC provider block
+  protected_file {
+    content      = base64encode(local.oidc_provider_config)
+    virtual_path = "/etc/nginx/oidc-provider.conf"
+  }
+
   depends_on = [
     azurerm_nginx_certificate.example
   ]
diff --git a/terraform/configurations/native-oidc/nginx.conf.tpl b/terraform/configurations/native-oidc/nginx.conf.tpl
@@ -3,13 +3,8 @@ http {
     resolver ${resolver} ipv4=on ipv6=off valid=300s;
     keyval_zone zone=oidc:8M     state=/opt/oidc_id_tokens.json     timeout=1h sync;
 
-    oidc_provider entra {
-        # issuer URL, client_id, client_secret values are obtained from IdP configuration (microsoft entra id in this example)
-        issuer ${issuer};
-        client_id ${client_id};
-        client_secret ${client_secret};
-        session_store oidc;
-    }
+    # Include OIDC provider configuration from protected file
+    include /etc/nginx/oidc-provider.conf;
     server {
         listen 443 ssl;
         server_name demo.example.com;
@@ -24,6 +19,14 @@ http {
 
             proxy_pass http://127.0.0.1:8080;
         }
+
+        # Post-logout endpoint - this example uses /post_logout/ 
+        # You can change this path or customize the response as needed
+        # Make sure to update the post_logout_uri variable accordingly
+        location /post_logout/ {
+            return 200 "You have been logged out.\n";
+            default_type text/plain;
+        }
     }
 
     server {
diff --git a/terraform/configurations/native-oidc/oidc-secrets.conf.tpl b/terraform/configurations/native-oidc/oidc-secrets.conf.tpl
@@ -0,0 +1,14 @@
+# OIDC provider configuration with sensitive information
+# This file contains sensitive information and should be protected
+
+oidc_provider entra {
+    # issuer URL, client_id, client_secret values are obtained from IdP configuration (microsoft entra id in this example)
+    issuer ${issuer};
+    client_id ${client_id};
+    client_secret ${client_secret};
+    session_store oidc;
+    logout_uri        /logout;
+    post_logout_uri  ${post_logout_uri};
+    logout_token_hint on;
+    userinfo on;
+}
diff --git a/terraform/configurations/native-oidc/outputs.tf b/terraform/configurations/native-oidc/outputs.tf
@@ -1,4 +1,9 @@
 output "ip_address" {
   description = "IP address of NGINXaaS deployment."
   value       = azurerm_nginx_deployment.example.ip_address
+}
+
+output "post_logout_uri" {
+  description = "Post logout URI configured in OIDC provider."
+  value       = local.effective_post_logout_uri
 }
diff --git a/terraform/configurations/native-oidc/variables.tf b/terraform/configurations/native-oidc/variables.tf
@@ -46,4 +46,10 @@ variable "client_secret" {
 variable "resolver" {
   description = "OIDC resolver"
   type        = string
+}
+
+variable "post_logout_uri" {
+  description = "OIDC post logout uri. If not provided, will default to https://IP_ADDRESS/post_logout/ (matching the example configuration). You can change this to match your custom logout endpoint."
+  type        = string
+  default     = ""  # Empty string means use auto-generated URI with /post_logout/ path
 }
