diff --git a/terraform/configurations/native-oidc/README.md b/terraform/configurations/native-oidc/README.md index ac564b7..d892dc1 100644 --- a/terraform/configurations/native-oidc/README.md +++ b/terraform/configurations/native-oidc/README.md @@ -37,13 +37,14 @@ terraform destroy --auto-approve ## Notes - The deployment uses a self-signed certificate for demonstration. For production, use a certificate issued by a trusted CA. -- OIDC configuration requires NGINX Plus R34 or later. +- Native OIDC configuration requires NGINX Plus R35 or later. - For more details on how to configure the OIDC in NGINXaaS, please refer to the references below - https://docs.nginx.com/nginx/deployment-guides/single-sign-on/entra-id/ - https://docs.nginx.com/nginxaas/azure/quickstart/runtime-state-sharing/ - - https://docs.nginx.com/nginx/releases/#r34 + - https://docs.nginx.com/nginx/releases/#r35 - https://community.f5.com/kb/technicalarticles/f5-nginx-plus-r34-release-now-available/340300 - https://nginx.org/en/docs/http/ngx_http_oidc_module.html - https://docs.nginx.com/nginxaas/azure/getting-started/ssl-tls-certificates/ + - https://community.f5.com/kb/technicalarticles/f5-nginx-plus-r35-release-now-available/342962 diff --git a/terraform/configurations/native-oidc/main.tf b/terraform/configurations/native-oidc/main.tf index eb87442..ca09688 100644 --- a/terraform/configurations/native-oidc/main.tf +++ b/terraform/configurations/native-oidc/main.tf @@ -92,10 +92,18 @@ resource "azurerm_role_assignment" "example" { locals { nginx_config = templatefile("${path.module}/nginx.conf.tpl", { - issuer = var.issuer - client_id = var.client_id - client_secret = var.client_secret - resolver = var.resolver + resolver = var.resolver + }) + + # Use provided post_logout_uri if specified, otherwise auto-generate using IP address + effective_post_logout_uri = var.post_logout_uri != "" ? var.post_logout_uri : "https://${azurerm_nginx_deployment.example.ip_address}/post_logout/" + + # Protected OIDC provider configuration with sensitive client secret + oidc_provider_config = templatefile("${path.module}/oidc-secrets.conf.tpl", { + issuer = var.issuer + client_id = var.client_id + client_secret = var.client_secret + post_logout_uri = local.effective_post_logout_uri }) } @@ -143,6 +151,12 @@ resource "azurerm_nginx_configuration" "example" { virtual_path = "/etc/nginx/nginx.conf" } + # Protected configuration file containing the entire OIDC provider block + protected_file { + content = base64encode(local.oidc_provider_config) + virtual_path = "/etc/nginx/oidc-provider.conf" + } + depends_on = [ azurerm_nginx_certificate.example ] diff --git a/terraform/configurations/native-oidc/nginx.conf.tpl b/terraform/configurations/native-oidc/nginx.conf.tpl index 0761a2e..2f7898b 100644 --- a/terraform/configurations/native-oidc/nginx.conf.tpl +++ b/terraform/configurations/native-oidc/nginx.conf.tpl @@ -3,13 +3,8 @@ http { resolver ${resolver} ipv4=on ipv6=off valid=300s; keyval_zone zone=oidc:8M state=/opt/oidc_id_tokens.json timeout=1h sync; - oidc_provider entra { - # issuer URL, client_id, client_secret values are obtained from IdP configuration (microsoft entra id in this example) - issuer ${issuer}; - client_id ${client_id}; - client_secret ${client_secret}; - session_store oidc; - } + # Include OIDC provider configuration from protected file + include /etc/nginx/oidc-provider.conf; server { listen 443 ssl; server_name demo.example.com; @@ -24,6 +19,14 @@ http { proxy_pass http://127.0.0.1:8080; } + + # Post-logout endpoint - this example uses /post_logout/ + # You can change this path or customize the response as needed + # Make sure to update the post_logout_uri variable accordingly + location /post_logout/ { + return 200 "You have been logged out.\n"; + default_type text/plain; + } } server { diff --git a/terraform/configurations/native-oidc/oidc-secrets.conf.tpl b/terraform/configurations/native-oidc/oidc-secrets.conf.tpl new file mode 100644 index 0000000..63b7155 --- /dev/null +++ b/terraform/configurations/native-oidc/oidc-secrets.conf.tpl @@ -0,0 +1,14 @@ +# OIDC provider configuration with sensitive information +# This file contains sensitive information and should be protected + +oidc_provider entra { + # issuer URL, client_id, client_secret values are obtained from IdP configuration (microsoft entra id in this example) + issuer ${issuer}; + client_id ${client_id}; + client_secret ${client_secret}; + session_store oidc; + logout_uri /logout; + post_logout_uri ${post_logout_uri}; + logout_token_hint on; + userinfo on; +} \ No newline at end of file diff --git a/terraform/configurations/native-oidc/outputs.tf b/terraform/configurations/native-oidc/outputs.tf index 2047420..b8d0750 100644 --- a/terraform/configurations/native-oidc/outputs.tf +++ b/terraform/configurations/native-oidc/outputs.tf @@ -1,4 +1,9 @@ output "ip_address" { description = "IP address of NGINXaaS deployment." value = azurerm_nginx_deployment.example.ip_address +} + +output "post_logout_uri" { + description = "Post logout URI configured in OIDC provider." + value = local.effective_post_logout_uri } \ No newline at end of file diff --git a/terraform/configurations/native-oidc/variables.tf b/terraform/configurations/native-oidc/variables.tf index 426b202..73ea7fd 100644 --- a/terraform/configurations/native-oidc/variables.tf +++ b/terraform/configurations/native-oidc/variables.tf @@ -46,4 +46,10 @@ variable "client_secret" { variable "resolver" { description = "OIDC resolver" type = string +} + +variable "post_logout_uri" { + description = "OIDC post logout uri. If not provided, will default to https://IP_ADDRESS/post_logout/ (matching the example configuration). You can change this to match your custom logout endpoint." + type = string + default = "" # Empty string means use auto-generated URI with /post_logout/ path } \ No newline at end of file