all | any
Allows access if all (all) or at least one\n(any) of the\nngx_http_access_module,\nngx_http_auth_basic_module,\nngx_http_auth_request_module,\nor\nngx_http_auth_jwt_module\nmodules allow access.
Example:
\n\nlocation / {\n satisfy any;\n\n allow 192.168.1.0/32;\n deny all;\n\n auth_basic "closed site";\n auth_basic_user_file conf/htpasswd;\n}\nAllows access if all (all) or at least one\n(any) of the\nngx_http_access_module,\nngx_http_auth_basic_module,\nngx_http_auth_request_module,\nngx_http_auth_jwt_module\n(1.13.10),\nor\nngx_http_auth_oidc_module\n(1.27.4)\nmodules allow access.
Example:
\n\nlocation / {\n satisfy any;\n\n allow 192.168.1.0/32;\n deny all;\n\n auth_basic "closed site";\n auth_basic_user_file conf/htpasswd;\n}\nname {...}
Defines an OpenID Provider for use with the auth_oidc directive.
name | off
Enables end user authentication with the\nspecified OpenID Provider.
\n\nThe special value off cancels the effect\nof the auth_oidc directive\ninherited from the previous configuration level.
URL
Sets the Issuer Identifier URL of the OpenID Provider;\nrequired directive.\nThe URL must exactly match the value of “issuer”\nin the OpenID Provider metadata\nand requires the “https” scheme.
string
Specifies the client ID of the Relying Party;\nrequired directive.
\n" + }, + { + "name": "client_secret", + "default": "", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`string`*" + ], + "syntax_html": [ + "string
Specifies a secret value\nused to authenticate the Relying Party with the OpenID Provider.
\n" + }, + { + "name": "config_url", + "default": "URL
Sets a custom URL to retrieve the OpenID Provider metadata.
\n" + }, + { + "name": "cookie_name", + "default": "NGX_OIDC_SESSION", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`name`*" + ], + "syntax_html": [ + "name
Sets the name of a session cookie.
\n" + }, + { + "name": "extra_auth_args", + "default": "", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`string`*" + ], + "syntax_html": [ + "string
Sets additional query arguments for the\nauthentication request URL.
\n\nextra_auth_args "display=page&prompt=login";\nuri
Defines the Redirection URI path for post-authentication redirects\nexpected by the module from the OpenID Provider.\nThe uri must match the configuration on the Provider’s side.
scope …
Sets requested scopes.\nThe openid scope is always required by OIDC.
name
Specifies a custom\nkey-value database\nthat stores session data.\nBy default, an 8-megabyte key-value database named\noidc_default_store_<provider name>\nis created automatically.
\n\n" + }, + { + "name": "session_timeout", + "default": "8h", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`time`*" + ], + "syntax_html": [ + "A separate key-value database should be configured for each Provider\nto prevent session reuse across providers.
\n
time
Sets a timeout after which the session is deleted, unless it was\nrefreshed.
\n" + }, + { + "name": "ssl_crl", + "default": "", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`file`*" + ], + "syntax_html": [ + "file
Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificates of the OpenID Provider endpoints.
file
Specifies a file with trusted CA certificates in the PEM format\nused to verify\nthe certificates of the OpenID Provider endpoints.
ID token
\n" + }, + { + "name": "$oidc_access_token", + "description_md": "access token", + "description_html": "access token
\n" + }, + { + "name": "$oidc_claim_NAME", + "description_md": "top-level ID token claim\n\nNested claims can be fetched with the\n[auth_jwt](https://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html) module:\n```\nhttp {\n auth_jwt_claim_set $postal_code address postal_code;\n\n server {\n location / {\n auth_oidc my_idp;\n auth_jwt off token=$oidc_id_token;\n\n proxy_set_header x-postal_code $postal_code;\n proxy_pass http://backend;\n }\n }\n}\n```", + "description_html": "top-level ID token claim
\n\nNested claims can be fetched with the\nauth_jwt module:
\n\nhttp {\n auth_jwt_claim_set $postal_code address postal_code;\n\n server {\n location / {\n auth_oidc my_idp;\n auth_jwt off token=$oidc_id_token;\n\n proxy_set_header x-postal_code $postal_code;\n proxy_pass http://backend;\n }\n }\n}\nSpecifies a JWT license file.\nBy default, the license.jwt file is expected to be at\n/etc/nginx/ for Linux or at\n/usr/local/etc/nginx/ for FreeBSD.
host:port
Sets the HTTP CONNECT proxy\nused for sending the usage report.
\n" + }, + { + "name": "proxy_username", + "default": "", + "contexts": [ + "mgmt" + ], + "syntax_md": [ + "*`string`*" + ], + "syntax_html": [ + "string
Sets the user name used for authentication on\nthe proxy.
\n" + }, + { + "name": "proxy_password", + "default": "", + "contexts": [ + "mgmt" + ], + "syntax_md": [ + "*`string`*" + ], + "syntax_html": [ + "string
Sets the password used for authentication on\nthe proxy.
\n\nThe password is sent unencrypted by default.\nIf the proxy supports TLS, the connection to the proxy can be\nprotected with the stream\nmodule:
\n\nmgmt {\n proxy 127.0.0.1:8080;\n proxy_username <name>;\n proxy_password <password>;\n}\n\nstream {\n server {\n listen 127.0.0.1:8080;\n \n proxy_ssl on;\n proxy_ssl_verify on;\n proxy_ssl_trusted_certificate <proxy_ca_file>;\n\n proxy_pass <proxy_host>:<proxy_port>;\n }\n}\n{...}
Specifies OTel data export parameters:
\n\nendpoint
the address of OTLP/gRPC endpoint that will accept telemetry data.
interval
the maximum interval between two exports,\nby default is 5 seconds.
batch_size
the maximum number of spans to be sent in one batch per worker,\nby default is 512.
batch_count
the number of pending batches per worker,\nspans exceeding the limit are dropped,\nby default is 4.
Example:
\n\notel_exporter {\n endpoint localhost:4317;\n interval 5s;\n batch_size 512;\n batch_count 4;\n}\nSpecifies OTel data export parameters:
\n\n\nendpoint [(http|https)://]host:port;
OTLP/gRPC endpoint that will accept telemetry data.\nTLS is supported since 0.1.2.
\ntrusted_certificate path;
the CA certificates file in PEM format used to verify TLS endpoint\n(since 0.1.2).\nDefaults to OS provided CA bundle.
header name value;
a custom HTTP header to add to telemetry export request (since 0.1.2).
interval time;
the maximum interval between two exports,\nby default is 5 seconds.
batch_size number;
the maximum number of spans to be sent in one batch per worker,\nby default is 512.
batch_count number;
the number of pending batches per worker,\nspans exceeding the limit are dropped,\nby default is 4.
Example:
\n\notel_exporter {\n endpoint https://otel-example.nginx.com:4317;\n\n header X-API-Token "my-token-value";\n}\nSets the\n“service.name”\nattribute of the OTel resource.
name value
Sets a custom OTel resource attribute.
\n" + }, { "name": "otel_trace", "default": "off", @@ -16536,5 +16849,5 @@ ] } ], - "version": "https://github.com/nginx/nginx.org/commit/602b6808b4d5ebe0d52b366bb95015116523cf54" + "version": "https://github.com/nginx/nginx.org/commit/47117cd87beed1b8f92857e46a66f3e8e514cf07" }