This code is based on https://docs.nginx.com/nginx/deployment-guides/single-sign-on/

The original deployment guide focuses on FQDN-based OIDC IdP selection, this repository provides a number of changes and enhancements to support dynamic multiple IdPs based on the URI (map-based setup) and FQDN + URI (keyval-based setup), authorization and URI rewriting.

This supports deployments where all published REST APIs share a common FQDN (ie. http(s)://api.ff.lan/) and must be handled based on the first URI token, that is:

http://api.ff.lan/testapi-1/tasks -> this gets authenticated by IdP #1
http://api.ff.lan/testapi-2/tasks -> this gets authenticated by IdP #2

• a Kubernetes or Openshift cluster
• a private registry to push the NGINX Plus image and the test api images
• at least one OIDC IdP (like Keycloak, Okta, MS ADFS, etc)
• the NGINX Plus image must be built with support for javascript (nginx-plus-module-njs) and lua (nginx-plus-module-lua)

cd nginx-dockerfile

copy your nginx-repo.crt and nginx-repo.key to the local dir

docker build --no-cache -t YOUR_PRIVATE_REGISTRY/nginxplus-js-lua:TAG .
docker push YOUR_PRIVATE_REGISTRY/nginxplus-js-lua:TAG

• per-URI OIDC IdP selection (endpoints, client id, client key, ...) based on NGINX "maps"
• per-FQDN/URI OIDC IdP selection (endpoints, client id, client key, ...) based on NGINX "keyval_zone"
• per-FQDN/URI / per-REST API function HTTP method filtering
• per-FQDN/URI REST API function quota
• URI rewriting support

• Based on NGINX maps
• Based on NGINX keyval zones and REST APIs