Reverse Proxy / Session Cookie Validation #624
Unanswered
bendercodes
asked this question in
Q&A
Replies: 1 comment 2 replies
-
a. the proxy is supposed to be a trusted entity in front of Service A which means that the network link between the two should be secured or private |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Great module and thank you for creating this! Was wondering about RP mode (Authorization code) in a setup such as the below:
where reverse proxy is proxying to multiple services (either user requests or other services)
Any guidance or pointers on what I'm missing is greatly appreciated as it's my first time working with oidc.
I can see a session cookie is set after successful login.
How does Service A validate the JWT embedded in the session cookie passed by the proxy? In the past, one strategy I'd use is for the reverse proxy is by signing the JWT with its private key, add it to a cookie and the service would validate against the proxy's public jwk endpoint (RS256). Is it possible for the openidc module to sign the JWT with a specified private key before creating the session cookie (asymmetric since I cannot trust other clients will keep a key safe)?
How can an endpoint accept access tokens passed via header while maintaining the user redirect pattern? (For example, for hitting a given endpoint using curl or postman after retrieving a token from the IdP) - e.g. for E2E tests or scripts
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions