http {# Configure name servers used to resolve domain names.resolver193.17.47.1185.43.135.1 [2001:148f:ffff::1] [2001:148f:fffe::1];js_import oidc from /path/to/nginx-oidc-njs/nginx-oidc.njs;include /path/to/nginx-oidc-njs/conf/http.conf;# Define cache zone for requested and inspected tokens.proxy_cache_path cache/oidc_tokens    keys_zone=oidc_tokens:1m    levels=2    use_temp_path=off    inactive=1h    max_size=4m;keyval_zone_redis zone=oidc_id_tokens ttl=300;keyval_zone_redis zone=oidc_access_tokens ttl=300;keyval_zone_redis zone=oidc_refresh_tokens ttl=604800;keyval_zone_redis zone=oidc_auth_states ttl=60;server {listen443 ssl http2;server_name client.example.org;    ...include /path/to/nginx-oidc-njs/conf/server.conf;# This must be large enough to fit a JWT token.subrequest_output_buffer_size 32k;set$oidc_issuer"https://openid.example.org";set$oidc_authorization_endpoint"https://openid.example.org/authorize";set$oidc_token_endpoint"https://openid.example.org/token";set$oidc_end_session_endpoint"https://openid.example.org/logout";set$oidc_jwks_file"/path/to/jwks.json";set$oidc_client_id"oidc-njs";set$oidc_client_secret"top-secret";set$oidc_scope"openid profile";# This must match the keys_zone name defined above in the http context.set$oidc_cache_zone_tokens"oidc_tokens";location/api/{include /path/to/nginx-oidc-njs/conf/auth-proxy.conf;proxy_pass"https://rp.example.org";    }location/{set$oidc_access"flynnkev USER ADMIN";include /path/to/nginx-oidc-njs/conf/auth-access.conf;    }  }}

OIDC Provider

The information for the following configuration variables can be retrieved from theOpenID Provider Discovery Metadata exposed by your Authorization Server or from its documentation.

$oidc_issuer

URL that the OIDC Provider asserts as its Issuer Identifier.It corresponds to propertyissuer inProvider Metadata.

This variable isrequired.

$oidc_jwks_file

Path to the JSON file in theJWKS format for validating JWT signature.This file can be downloaded from the location specified by thejwks_uri property inProvider Metadata.

This variable isrequired.

$oidc_authorization_endpoint

URL of theOAuth 2.0 Authorization Endpoint at the Authorization Server.It corresponds to propertyauthorization_endpoint inProvider Metadata.

This variable isrequired.

$oidc_token_endpoint

URL of theOAuth 2.0 Token Endpoint at the Authorization Server.It corresponds to propertytoken_endpoint inProvider Metadata.

This variable isrequired.

$oidc_introspection_endpoint

URL of theOAuth 2.0 Token Introspection Endpoint at the Authorization Server.It corresponds to propertyintrospection_endpoint inProvider Metadata.

This variable is optional.

$oidc_end_session_endpoint

URL of theLogout Endpoint for the RP-Initiated Logout at the Authorization Server.It corresponds to propertyend_session_endpoint inProvider Metadata.

This variable is optional.

Client

$oidc_client_id

OAuth 2.0Client Identifier registered at the Authorization Server.

This variable isrequired.

$oidc_client_secret

OAuth 2.0Client Secret (password) associated with the$oidc_client_id.

This variable isrequired.

$oidc_scope

A space-separated set ofOAuth 2.0 scopes that should be requested.

Default isopenid.

$oidc_claim_username

TheID TokenClaim that contains the user’s unique identifier (typically a username).This is used for access control (see$oidc_allow) and logging.

Default ispreferred_username.

$oidc_claim_roles

TheID TokenClaim that contains the roles of the user (as a flat array).This is used for access control (see$oidc_allow).

This variable is optional.

$oidc_redirect_uri

URL of the Client’sRedirection Endpoint previously registered at the Authorization Server.If only a path is provided (not an absolute URL), it will be prepended with$scheme://$server_name:$server_port.

Default is/-/oidc/callback, which corresponds to thelocation inconf/server.conf.

$oidc_post_logout_redirect_uri

URL to which the user will be redirected after logging out.If$oidc_end_session_endpoint is specified, then this URL will be passed to the Authorization Server’sLogout Endpoint via thepost_logout_redirect_uri parameter and it must be previously registered at the Authorization Server.

This variable is optional.

Others

$oidc_allow

A whitespace-separated list of usernames and roles.If the user has any of the specified roles or username, and has none of the roles or username specified in$oidc_deny, then access will be allowed.Otherwise, access will be denied.

The user’s username and roles are retrieved from the ID Token as specified by$oidc_claim_username and$oidc_claim_roles.There are also two special roles:

• ANONYMOUS – no authentication is required, access is allowed to anyone.

• AUTHENTICATED – any authenticated user is allowed.

This variable is used forconf/auth-access.conf and it can be set in the server or location context.

Default isAUTHENTICATED.

$oidc_deny

A whitespace-separated list of usernames and roles.If the user has any of the specified roles or username, then access will be denied.

The user’s username and roles are retrieved from the ID Token as specified by$oidc_claim_username and$oidc_claim_roles.

This variable is used forconf/auth-access.conf and it can be set in the server or location context.

Default isempty.

$oidc_cache_zone_tokens

Name of theproxy cache keys_zone for caching tokens.

This variable isrequired.^[1]

$oidc_cookie_attrs

Set-Cookie attributes to be added to the session cookies.Some attributes are overridden for certain cookies (Max-Age andPath).

Default isMax-Age=2592000; Path=/; Secure; SameSite=lax.^[2]

$oidc_error_pages_dir

Path to the directory with error page templates.SeeError Pages for more information.

$oidc_log_level

The log level threshold for messages logged by this module.

One of:debug,info,warn,error.Default isinfo.

$oidc_log_prefix

The prefix for log messages.

Default is[oidc].