Skip to content

Update OIDC implementation to work with tls-passthrough #7947

New issue
New issue
Open
Enhancement
Open
Update OIDC implementation to work with tls-passthrough#7947
Enhancement
Labels
enhancementPull requests for new features/feature enhancementsproposalAn issue that proposes a feature requestready for refinementAn issue that was triaged and it is ready to be refined
@vepatel

Description

@vepatel
vepatel
opened on Jun 24, 2025

As described in #7278,

In TLS-passthrough mode NIC at layer 4, it doesn't terminate SSL/TLS, so it never sees or can add http headers. It simply forwards the encrypted TCP stream to oidc, typically with proxy protocol enabled:

listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol;

We need to modify https://github.com/nginx/kubernetes-ingress/blob/main/internal/configs/oidc/oidc_common.conf based on https://github.com/nginxinc/nginx-openid-connect?tab=readme-ov-file#configuring-nginx-plus

something like:

map $proxy_protocol_server_port $effective_port {
  "" $server_port;
  default $proxy_protocol_server_port;
}
map $http_x_forwarded_port $redirect_base {
  "" $proto://$host:$effective_port;
  default $proto://$host:$http_x_forwarded_port;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementPull requests for new features/feature enhancementsproposalAn issue that proposes a feature requestready for refinementAn issue that was triaged and it is ready to be refined

    Type

    Enhancement

    Projects

    NGINX Ingress Controller

    Status

    Prioritized backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions