Storing a URI directly in the auth_redir cookie without encoding has led
to issues where browsers misinterpret special characters, like semicolons,
as part of the cookie delimiter. This behavior results in the truncation of
the URI at the special character, causing incomplete or incorrect redirection
URLs after user authentication.

Previously, the keyval state file was configured to be stored in the "conf.d"
directory. By default, the NGINX process does not have write access to this
directory, necessitating users to either specify a different path or alter
the directory permissions.

The default path for the state file has been changed to "/var/lib/nginx/state".
This new location is more suitable for most Linux users and aligns with
security best practices, as only the NGINX user has read and write permissions
by default.

Implement support for RP-initiated logout in accordance with OpenID Connect RP-Initiated Logout 1.0.
Introduce "oidc_end_session_endpoint" variable to specify the "end_session_endpoint" URL.

If "oidc_end_session_endpoint" is not set or is empty, the default behavior of logging out only on the NGINX side is maintained. When set, the endpoint triggers the RP-initiated logout as specified in the specification.

…od (nginxinc#97)

- Updated token exchange to use the Authorization header for client_secret_basic.
- Refactored logic for generating POST request parameters for token retrieval and refresh.
- Added "oidc_client_auth_method" variable to select client authentication method.

…ginxinc#99)

The validateIdToken function previously did not correctly validate the nonce claim in the ID Token due to improper handling of session state. The newSession variable, intended to indicate a new authentication session, was not reliably set, causing nonce validation to be skipped in all cases.

---------

Co-authored-by: Tom Noonan II <[email protected]>
Co-authored-by: Ivan Ovchinnikov <[email protected]>

Remove the `proxy_pass_request_body off` directive, which unintentionally broke
OIDC client authentication using the POST body method (`client_secret_post`).

Previously, when `$oidc_client_auth_method` was set to "client_secret_post"
the `generateTokenRequestParams()` function correctly formatted the POST
request and sent it via `r.subrequest` to the internal `/_token` location.
However, the `proxy_pass_request_body off` directive caused the POST request
to reach `$oidc_token_endpoint` with a valid Content-Length header but an
empty body. This led to a timeout as the OP token endpoint closed the connection.

Users encountered the error: "NGINX / OpenID Connect login failure."

This commit restores functionality by ensuring the request body is passed
to the token endpoint while retaining header exclusion to prevent CORS issues.

…n handling.

- Switched from callbacks to async/await for clearer, more maintainable code.
- Broke up the monolithic code into smaller and modular functions.
- Refined id token validation logic.
- Changed the internal /_id_token_validation location to /_token_validation.
- Minimum required njs version is 0.7.0 now.

Implement OpenID Connect Front-Channel Logout 1.0 specification:
- Add default /front_channel_logout location that handles logout requests
- Both sid and iss parameters must be present
- Issuer verification against iss claim in ID token

Reference: https://openid.net/specs/openid-connect-frontchannel-1_0.html

- Implemented unified function for error handling.
- Each error is assigned its own identifier, generated by using the first
8 chars of the $request_id variable.
- Added support for JSON log output. This is controlled by the
$oidc_log_format variable, which must be set to 'json'.
- Added support for stack trace output. This is enabled by the
$oidc_debug variable, which must have any non-empty value.
If this variable is defined, the $internal_error_message variable
is overwritten with the text of the last error and returned to
the User Agent - so use this only for debugging!