Ignore Set-Cookie from token and introspection endpoint to fix caching

https://stackoverflow.com/a/9232739/2217862:

> Make sure your backend does not return Set-Cookie header. If Nginx sees
> it, it disables caching.
>
> proxy_ignore_header will ensure that the caching takes place.
> proxy_hide_header will ensure the Cookie payload is not included in the
> cached payload. This is important to avoid leaking cookies via the
> NGINX cache.

Author: jirutka

conf/server.conf

@@ -68,8 +68,10 @@ location = /-/internal/request-token {
   # If the last request passed to the server has not completed for the specified time,
   # one more request may be passed.
   proxy_cache_lock_age 2s;
-  # Ignore caching headers (OIDC Provider sends no-cache).
-  proxy_ignore_headers Cache-Control Expires;
+  # Ignore caching headers (OIDC Provider sends no-cache) and Set-Cookie.
+  # If the OIDC server returns Set-Cookie, the response will not be cached,
+  # so we must ignore it.
+  proxy_ignore_headers Cache-Control Expires Set-Cookie;
 }
 
 location = /-/internal/introspect-token {
@@ -93,4 +95,9 @@ location = /-/internal/introspect-token {
   proxy_cache_lock_age 2s;
   # Use stale responses if we cannot reach the server.
   proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+  # If the OIDC server returns Set-Cookie, the response will not be cached,
+  # so we must ignore it.
+  proxy_ignore_headers Set-Cookie;
+  # Don't include Set-Cookie in the cached payload.
+  proxy_hide_header Set-Cookie;
 }