From b1efb859b20a612d09fa2976ae7b8f3a1a598e31 Mon Sep 17 00:00:00 2001 From: Shawn Kim Date: Thu, 22 Dec 2022 22:21:28 -0800 Subject: [PATCH] Rename variable name from args to query params --- openid_connect.js | 16 ++++++++-------- openid_connect_configuration.conf | 11 +++++------ 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/openid_connect.js b/openid_connect.js index 49909c9..e5c3c7f 100644 --- a/openid_connect.js +++ b/openid_connect.js @@ -48,7 +48,7 @@ function auth(r, afterSyncCheck) { return; } // Redirect the client to the IdP login page with the cookies we need for state - r.return(302, r.variables.oidc_authz_endpoint + getAuthZArgs(r)); + r.return(302, r.variables.oidc_authz_endpoint + getQueryParamsAuthZ(r)); return; } @@ -271,16 +271,16 @@ function logout(r) { r.return(302, r.variables.oidc_logout_redirect); } -function getAuthZArgs(r) { +function getQueryParamsAuthZ(r) { // Choose a nonce for this flow for the client, and hash it for the IdP var noncePlain = r.variables.request_id; var c = require('crypto'); var h = c.createHmac('sha256', r.variables.oidc_hmac_key).update(noncePlain); var nonceHash = h.digest('base64url'); - var authZArgs = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; + var queryParams = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; - if (r.variables.oidc_authz_extra_args) { - authZArgs += "&" + r.variables.oidc_authz_extra_args; + if (r.variables.oidc_authz_extra_query_params) { + queryParams += "&" + r.variables.oidc_authz_extra_query_params; } r.headersOut['Set-Cookie'] = [ @@ -294,11 +294,11 @@ function getAuthZArgs(r) { var pkce_code_challenge = c.createHash('sha256').update(pkce_code_verifier).digest('base64url'); r.variables.pkce_code_verifier = pkce_code_verifier; - authZArgs += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id; + queryParams += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id; } else { - authZArgs += "&state=0"; + queryParams += "&state=0"; } - return authZArgs; + return queryParams; } function idpClientAuth(r) { diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf index 0aa69a4..7517f1c 100644 --- a/openid_connect_configuration.conf +++ b/openid_connect_configuration.conf @@ -8,16 +8,15 @@ map $host $oidc_authz_endpoint { #www.example.com "https://my-idp/oauth2/v1/authorize"; } -map $host $oidc_authz_extra_args { - # Extra arguments to include in the request to the IdP's authorization +map $host $oidc_authz_extra_query_params { + # Extra query params to include in the request to the IdP's authorization # endpoint. - # Some IdPs provide extended capabilities controlled by extra arguments, + # Some IdPs provide extended capabilities controlled by extra query params, # for example Keycloak can select an IdP to delegate to via the # "kc_idp_hint" argument. - # Arguments must be expressed as query string parameters and URL-encoded - # if required. + # It must be expressed as query string params and URL-encoded if required. default ""; - #www.example.com "kc_idp_hint=another_provider" + #www.example.com "kc_idp_hint=another_provider"; } map $host $oidc_token_endpoint {