Containerized Nginx Plus is Unable to Open or Rename Okta JWK File

Question

Why is my instance of Nginx Plus unable to access a JSON Web Key (JWK) file from Okta?

This instance of Nginx Plus was containerized with a Dockerfile similar to this official Dockerfile.alpine direct from Nginx, with the following differences:

. . .

COPY ["cert.pem", "cert.key", "/"]

. . .

RUN . . .

. . .

        nginx-plus-module-njs \

. . .

RUN ["rm", "/etc/nginx/conf.d/default.conf"]

. . .

COPY ["frontend.conf", "openid_connect.js", "openid_connect.server_conf", "openid_connect_configuration.conf", "/etc/nginx/conf.d/"]

. . .

CMD ["nginx", "-g", "daemon off; load_module modules/ngx_http_js_module.so;"]

frontend.conf, openid_connect.js, openid_connect.server_conf and openid_connect_configuration.conf were all copied from nginx-openid-connect, found here.

frontend.conf, openid_connect.server_conf and openid_connect_configuration.conf were all configured properly, following this part of the installation process.

Nginx Plus was configured properly in the Okta Admin Console as an OIDC application.

When I enter the static external IP address pointing at my containerized Nginx Plus instance in a fresh browser session, I am redirected to https://$OKTA_DOMAIN_NAME.okta.com and prompted to login. After correct credentials are entered, I can see the following in the Nginx Plus logs:

. . .
1970/01/01 00:00:01 [alert] 1#1: open() "/etc/nginx/conf.d/oidc_id_tokens.json.tmp" failed (13: Permission denied)
. . .

adding oidc_id_tokens.json.tmp with the following COPY instruction to the Dockerfile:

COPY --chown=nginx:nginx ["empty.file", "/etc/nginx/conf.d/oidc_id_tokens.json.tmp"]

produced another similar error after redeployment and another login flow:

. . .
1970/01/01 00:00:01 [crit] 1#1: rename() "/etc/nginx/conf.d/oidc_id_tokens.json.tmp" to "/etc/nginx/conf.d/oidc_id_tokens.json" failed (13: Permission denied)
. . .

How would I allow Nginx Plus access to the JWK file?

Answer 1

Under the "Troubleshooting" header from the nginx-openid-connect repository you linked, the final bullet underneath "Authentication is successful but browser shows too many redirects" instructs you to ensure that the nginx user has access to the JWK file.

This is not referring to an Okta user or account; this is referring to the nginx user within your Docker image. If you:

docker run \
--entrypoint="" \
--interactive \
--tty \
$NGINX_PLUS_IMAGE_ID \
cat /etc/nginx/nginx.conf

#=>

user  nginx;
. . .

you can see that the base Nginx config. file uses the nginx user instead of root.

We should give nginx access to all files within the /etc/nginx directory with the:

RUN ["chown", "-R", "nginx:nginx", "/etc/nginx"]

Dockerfile instruction.