OIDC deployment guides update for NGINX Plus R36 (#1505)

Update OIDC deployment guides to reflect R36 capabilities.

Co-authored-by: Ivan Ovchinnikov <i.ovchinnikov@f5.com>

Author: y82

content/nginx/deployment-guides/single-sign-on/active-directory-federation-services.md

@@ -10,13 +10,13 @@ nd-docs: DOCS-1683
 
 This guide explains how to enable single sign-on (SSO) for applications being proxied by F5 NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with [Microsoft Active Directory Federation Services](https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services) (AD FS) as the Identity Provider (IdP) and NGINX Plus as the Relying Party (RP), or OIDC client application that verifies user identity.
 
-{{< call-out "note" >}} This guide applies to [NGINX Plus Release 35]({{< ref "nginx/releases.md#r35" >}}) and later. In earlier versions, NGINX Plus relied on an [njs-based solution](#legacy-njs-guide), which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new [OpenID Connect module](https://nginx.org/en/docs/http/ngx_http_oidc_module.html) simplifies this process to just a few directives.{{< /call-out >}}
+{{< call-out "note" >}} This guide applies to [NGINX Plus Release 36]({{< ref "nginx/releases.md#r36" >}}) and later. In earlier versions, NGINX Plus relied on an [njs-based solution](#legacy-njs-guide), which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new [OpenID Connect module](https://nginx.org/en/docs/http/ngx_http_oidc_module.html) simplifies this process to just a few directives.{{< /call-out >}}
 
 ## Prerequisites
 
 - A Microsoft AD FS instance, either on-premises or in [Azure](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs), with administrator privileges.
 
-- An NGINX Plus [subscription](https://www.f5.com/products/nginx/nginx-plus) and NGINX Plus [Release 35]({{< ref "nginx/releases.md#r35" >}}) or later. For installation instructions, see [Installing NGINX Plus](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/).
+- An NGINX Plus [subscription](https://www.f5.com/products/nginx/nginx-plus) and NGINX Plus [Release 36]({{< ref "nginx/releases.md#r36" >}}) or later. For installation instructions, see [Installing NGINX Plus](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/).
 
 - A domain name pointing to your NGINX Plus instance, for example, `demo.example.com`.
 
@@ -66,6 +66,17 @@ After creating the application group, you need to configure the logout URLs to s
 
    - Add the post logout URL, for example: `https://demo.example.com/post_logout/`.
 
+4. To enable OpenID Connect front-channel logout (single sign-out when the user signs out of another application):
+
+    - Use PowerShell to configure a **LogoutUri** for the AD FS client (there is no GUI option for this). For example, run:
+      
+      ```powershell
+      Set-AdfsClient -TargetClientId <client-id> -LogoutUri https://demo.example.com/front_logout/
+      ```
+      Replace `<client-id>` with the Client Identifier from [Step 5](#adfs-setup-id) above (the AD FS Application ID) and substitute the domain name of your NGINX Plus instance for `demo.example.com`.
+      
+      This registers a front-channel logout URL (`LogoutUri`) for the client in AD FS. When a user signs out of this or any other application in AD FS, the AD FS server sends a GET request to this URL (typically via a hidden iframe) with the user's session ID (`sid`) as a query parameter, instructing NGINX Plus to clear the user's session. According to the OpenID Connect front-channel logout specification, the identity provider is supposed to send both an issuer (`iss`) and a session ID; AD FS provides only the `sid` parameter, but the NGINX Plus OIDC module supports both the fully compliant `iss+sid` and the `sid`-only variants and will clear the session in either case.
+
 ### Get the OpenID Connect Discovery URL
 
 Check the OpenID Connect endpoint URL. By default, AD FS publishes the `.well-known/openid-configuration` document at the following address:
@@ -97,6 +108,8 @@ Check the OpenID Connect endpoint URL. By default, AD FS publishes the `.well-kn
        "jwks_uri": "https://adfs-server-address/adfs/discovery/keys",
        "userinfo_endpoint": "https://adfs-server-address/adfs/userinfo",
        "end_session_endpoint": "https://adfs-server-address/adfs/oauth2/logout",
+       "frontchannel_logout_supported": true,
+       "frontchannel_logout_session_supported": true
        ...
    }
    ```
@@ -118,10 +131,10 @@ With AD FS configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as t
     nginx -v
     ```
 
-    The output should match NGINX Plus Release 35 or later:
+    The output should match NGINX Plus Release 36 or later:
 
     ```text
-    nginx version: nginx/1.29.0 (nginx-plus-r35)
+    nginx version: nginx/1.29.3 (nginx-plus-r36)
     ```
 
 2.  Ensure that you have the values of the **Client ID**, **Client Secret**, and **Issuer** obtained during [AD FS Configuration](#adfs-setup).
@@ -165,27 +178,36 @@ With AD FS configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as t
 
     - The **logout_uri** is URI that a user visits to start an RP‑initiated logout flow.
 
+    - The **frontchannel_logout_uri** directive defines the URI that receives OpenID Connect front-channel logout requests from AD FS. This URI must be an HTTPS path and must match the LogoutUri configured for the client in AD FS. When AD FS triggers a front-channel logout (for example, when a user signs out of another application), it sends a GET request to this URI (typically via a hidden iframe) with the session ID (sid) as a query parameter. The OIDC module clears the corresponding user session on NGINX Plus.
+
     - The **post_logout_uri** is absolute HTTPS URL where AD FS should redirect the user after a successful logout. This value **must also be configured** in the AD FS application properties.
 
     - If the **logout_token_hint** directive set to `on`, NGINX Plus sends the user's ID token as a *hint* to AD FS.
       This directive is **optional**, however, if it is omitted the AD FS may display an extra confirmation page asking the user to approve the logout request.
 
     - If the **userinfo** directive is set to `on`, NGINX Plus will fetch `/userinfo` from the AD FS and append the claims from userinfo to the `$oidc_claims_` variables.
 
+    - PKCE (Proof Key for Code Exchange) is automatically enabled when the provider's OpenID Connect discovery document advertises the S256 code challenge method in the code_challenge_methods_supported field. You can override this behavior with the pkce directive: set `pkce off;` to disable PKCE even when S256 is advertised, or `pkce on;` to force PKCE even if the IdP's metadata does not list S256.
+
     - {{< call-out "important" >}} All interaction with the IdP is secured exclusively over SSL/TLS, so NGINX must trust the certificate presented by the IdP. By default, this trust is validated against your system's CA bundle (the default CA store for your Linux or FreeBSD distribution). If the IdP's certificate is not included in the system CA bundle, you can explicitly specify a trusted certificate or chain with the [`ssl_trusted_certificate`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#ssl_trusted_certificate) directive so that NGINX can validate and trust the IdP's certificate. {{< /call-out >}}
 
     ```nginx
     http {
         resolver 10.0.0.1 ipv4=on valid=300s;
 
         oidc_provider adfs {
-            issuer            https://adfs.example.com/adfs;
-            client_id         <client_id>;
-            client_secret     <client_secret>;
-            logout_uri        /logout;
-            post_logout_uri   https://demo.example.com/post_logout/;
-            logout_token_hint on;
-            userinfo          on;
+            issuer                  https://adfs.example.com/adfs;
+            client_id               <client_id>;
+            client_secret           <client_secret>;
+            logout_uri              /logout;
+            post_logout_uri         https://demo.example.com/post_logout/;
+            frontchannel_logout_uri /front_logout;
+            logout_token_hint       on;
+            userinfo                on;
+
+            # Optional: PKCE configuration. By default, PKCE is automatically
+            # enabled when the IdP advertises the S256 code challenge method.
+            # pkce                  on;
         }
 
         # ...
@@ -314,8 +336,14 @@ http {
         post_logout_uri https://demo.example.com/post_logout/;
         logout_token_hint on;
 
+        # Front-channel logout
+        frontchannel_logout_uri /front_logout;
+
         # Fetch userinfo claims
         userinfo on;
+
+        # Optional: PKCE configuration (enabled automatically when supported by the IdP)
+        # pkce on;
     }
 
     server {
@@ -373,10 +401,12 @@ If you are running NGINX Plus R33 and earlier or if you still need the njs-based
 
 - [NGINX Plus Native OIDC Module Reference documentation](https://nginx.org/en/docs/http/ngx_http_oidc_module.html)
 
-- [Release Notes for NGINX Plus R35]({{< ref "nginx/releases.md#r35" >}})
+- [Release Notes for NGINX Plus R36]({{< ref "nginx/releases.md#r36" >}})
 
 ## Revision History
 
-- Version 2 (August 2025) – Added RP‑initiated logout (logout_uri, post_logout_uri, logout_token_hint) and userinfo support.
+- Version 3 (November 2025) – Updated for NGINX Plus R36; added front-channel logout support (`frontchannel_logout_uri`), PKCE configuration (`pkce` directive), and the `client_secret_post` token endpoint authentication method.
+
+- Version 2 (August 2025) – Updated for NGINX Plus R35; added RP‑initiated logout (`logout_uri`, `post_logout_uri`, `logout_token_hint`) and `userinfo` support.
 
-- Version 1 (March 2025) – Initial version (NGINX Plus Release 34)
+- Version 1 (March 2025) – Initial version (NGINX Plus Release 34).

content/nginx/deployment-guides/single-sign-on/auth0.md

@@ -10,13 +10,13 @@ nd-docs: DOCS-1686
 
 This guide explains how to enable single sign-on (SSO) for applications being proxied by F5 NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with [Auth0](https://auth0.com/features/single-sign-on) as the Identity Provider (IdP), and NGINX Plus as the Relying Party, or OIDC client application that verifies user identity.
 
-{{< call-out "note" >}} This guide applies to [NGINX Plus Release 35]({{< ref "nginx/releases.md#r35" >}}) and later. In earlier versions, NGINX Plus relied on an [njs-based solution](#legacy-njs-guide), which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new [OpenID Connect module](https://nginx.org/en/docs/http/ngx_http_oidc_module.html) simplifies this process to just a few directives.{{< /call-out >}}
+{{< call-out "note" >}} This guide applies to [NGINX Plus Release 36]({{< ref "nginx/releases.md#r36" >}}) and later. In earlier versions, NGINX Plus relied on an [njs-based solution](#legacy-njs-guide), which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new [OpenID Connect module](https://nginx.org/en/docs/http/ngx_http_oidc_module.html) simplifies this process to just a few directives.{{< /call-out >}}
 
 ## Prerequisites
 
 - An [Auth0](https://auth0.com/) tenant with administrator privileges.
 
-- An NGINX Plus [subscription](https://www.f5.com/products/nginx/nginx-plus) and NGINX Plus [Release 35]({{< ref "nginx/releases.md#r35" >}}) or later. For installation instructions, see [Installing NGINX Plus](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/).
+- An NGINX Plus [subscription](https://www.f5.com/products/nginx/nginx-plus) and NGINX Plus [Release 36]({{< ref "nginx/releases.md#r36" >}}) or later. For installation instructions, see [Installing NGINX Plus](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/).
 
 - A domain name pointing to your NGINX Plus instance, for example, `demo.example.com`.
 
@@ -101,10 +101,10 @@ With Auth0 configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as t
     nginx -v
     ```
 
-    The output should match NGINX Plus Release 35 or later:
+    The output should match NGINX Plus Release 36 or later:
 
     ```none
-    nginx version: nginx/1.29.0 (nginx-plus-r35)
+    nginx version: nginx/1.29.3 (nginx-plus-r36)
     ```
 
 2.  Ensure that you have the values of the **Client ID**, **Client Secret**, and **Issuer** obtained during [Auth0 Configuration](#auth0-setup).
@@ -156,6 +156,10 @@ With Auth0 configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as t
 
     - If the **userinfo** directive is set to `on`, NGINX Plus will fetch `/userinfo` from the Auth0 and append the claims from userinfo to the `$oidc_claims_` variables.
 
+    - PKCE (Proof Key for Code Exchange) is automatically enabled when Auth0's OpenID Connect discovery document advertises the `S256` code challenge method in the `code_challenge_methods_supported` field. You can override this behavior with the [`pkce`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#pkce) directive: set `pkce off;` to disable PKCE even when `S256` is advertised, or `pkce on;` to force PKCE even if the IdP metadata does not list `S256`.
+
+    - The module automatically selects the client authentication method for the token endpoint based on the provider metadata `token_endpoint_auth_methods_supported`. When only `client_secret_post` is advertised, NGINX Plus uses the `client_secret_post` method and sends the client credentials in the POST body. When both `client_secret_basic` and `client_secret_post` are present, the module prefers HTTP Basic (`client_secret_basic`), which remains the default for Auth0.
+
     - {{< call-out "important" >}} All interaction with the IdP is secured exclusively over SSL/TLS, so NGINX must trust the certificate presented by the IdP. By default, this trust is validated against your system’s CA bundle (the default CA store for your Linux or FreeBSD distribution). If the IdP’s certificate is not included in the system CA bundle, you can explicitly specify a trusted certificate or chain with the [`ssl_trusted_certificate`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#ssl_trusted_certificate) directive so that NGINX can validate and trust the IdP’s certificate. {{< /call-out >}}
 
     ```nginx
@@ -170,6 +174,10 @@ With Auth0 configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as t
             post_logout_uri   https://demo.example.com/post_logout/;
             logout_token_hint on;
             userinfo          on;
+
+            # Optional: PKCE configuration. By default, PKCE is automatically
+            # enabled when the IdP advertises the S256 code challenge method.
+            # pkce on;
         }
 
         # ...
@@ -292,6 +300,9 @@ http {
 
         # Fetch userinfo claims
         userinfo on;
+
+        # Optional: PKCE configuration
+        # pkce on;
     }
 
     server {
@@ -348,10 +359,12 @@ If you are running NGINX Plus R33 and earlier or if you still need the njs-based
 
 - [NGINX Plus Native OIDC Module Reference documentation](https://nginx.org/en/docs/http/ngx_http_oidc_module.html)
 
-- [Release Notes for NGINX Plus R35]({{< ref "nginx/releases.md#r35" >}})
+- [Release Notes for NGINX Plus R36]({{< ref "nginx/releases.md#r36" >}})
 
 ## Revision History
 
-- Version 2 (August 2025) – Added RP‑initiated logout (logout_uri, post_logout_uri, logout_token_hint) and userinfo support.
+- Version 3 (November 2025) – Updated for NGINX Plus R36; added PKCE configuration (`pkce` directive) and the `client_secret_post` token endpoint authentication method.
+
+- Version 2 (August 2025) – Updated for NGINX Plus R35; added RP‑initiated logout (`logout_uri`, `post_logout_uri`, `logout_token_hint`) and `userinfo` support.
 
-- Version 1 (March 2025) – Initial version (NGINX Plus Release 34)
+- Version 1 (March 2025) – Initial version (NGINX Plus Release 34).