Rename variable name from args to query params

nginxinc · Jan 6, 2023 · 659a746 · 659a746
1 parent 6ad8ec6
commit 659a746
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 14 deletions.
diff --git a/openid_connect.js b/openid_connect.js
@@ -48,7 +48,7 @@ function auth(r, afterSyncCheck) {
             return;
         }
         // Redirect the client to the IdP login page with the cookies we need for state
-        r.return(302, r.variables.oidc_authz_endpoint + getAuthZArgs(r));
+        r.return(302, r.variables.oidc_authz_endpoint + getQueryParamsAuthZ(r));
         return;
     }
 
@@ -260,18 +260,19 @@ function logout(r) {
     r.return(302, r.variables.oidc_logout_redirect);
 }
 
-function getAuthZArgs(r) {
+function getQueryParamsAuthZ(r) {
     // Choose a nonce for this flow for the client, and hash it for the IdP
     var noncePlain = r.variables.request_id;
     var c = require('crypto');
     var h = c.createHmac('sha256', r.variables.oidc_hmac_key).update(noncePlain);
     var nonceHash = h.digest('base64url');
-    var authZArgs = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash;
+    var queryParams = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash;
 
-    if (r.variables.oidc_authz_extra_args) {
-        authZArgs += "&" + r.variables.oidc_authz_extra_args;
+    if (r.variables.oidc_authz_extra_query_params) {
+        queryParams += "&" + r.variables.oidc_authz_extra_query_params;
     }
 
+    r.variables.nonce_hash = nonceHash;
     r.headersOut['Set-Cookie'] = [
         "auth_redir=" + r.variables.request_uri + "; " + r.variables.oidc_cookie_flags,
         "auth_nonce=" + noncePlain + "; " + r.variables.oidc_cookie_flags
@@ -282,12 +283,13 @@ function getAuthZArgs(r) {
         r.variables.pkce_id = c.createHash('sha256').update(String(Math.random())).digest('base64url');
         var pkce_code_challenge = c.createHash('sha256').update(pkce_code_verifier).digest('base64url');
         r.variables.pkce_code_verifier = pkce_code_verifier;
+        r.variables.pkce_code_challenge = pkce_code_challenge;
 
-        authZArgs += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id;
+        queryParams += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id;
     } else {
-        authZArgs += "&state=0";
+        queryParams += "&state=0";
     }
-    return authZArgs;
+    return queryParams;
 }
 
 function idpClientAuth(r) {

diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -8,16 +8,15 @@ map $host $oidc_authz_endpoint {
     #www.example.com "https://my-idp/oauth2/v1/authorize";
 }
 
-map $host $oidc_authz_extra_args {
-    # Extra arguments to include in the request to the IdP's authorization
+map $host $oidc_authz_extra_query_params {
+    # Extra query params to include in the request to the IdP's authorization
     # endpoint.
-    # Some IdPs provide extended capabilities controlled by extra arguments,
+    # Some IdPs provide extended capabilities controlled by extra query params,
     # for example Keycloak can select an IdP to delegate to via the
     # "kc_idp_hint" argument.
-    # Arguments must be expressed as query string parameters and URL-encoded
-    # if required.
+    # It must be expressed as query string params and URL-encoded if required.
     default "";
-    #www.example.com "kc_idp_hint=another_provider"
+    #www.example.com "kc_idp_hint=another_provider";
 }
 
 map $host $oidc_token_endpoint {