Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:idpopenidconnect [2019/04/30 20:21]
maxbes [Configuration of Relying Party in LL::NG]
documentation:2.1:idpopenidconnect [2019/12/21 15:14]
coudot [Configuration of Relying Party in LL::NG]
Line 17: Line 17:
   * Access Token Hash generation   * Access Token Hash generation
   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)
-  * UserInfo ​end point, as JSON or as JWT+  * UserInfo ​endpoint, as JSON or as JWT
   * Request and Request URI   * Request and Request URI
   * Session management   * Session management
   * FrontChannel Logout   * FrontChannel Logout
   * BackChannel Logout   * BackChannel Logout
-  * PKCE+  * PKCE (Since ''​2.0.4''​) - See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]] 
 +  * Introspection endpoint (Since ''​2.0.6''​) - See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]] 
 +  * Offline access (Since ''​2.0.7''​) 
 +  * Refresh Tokens (Since ''​2.0.7''​)
 ===== Configuration ===== ===== Configuration =====
  
Line 114: Line 117:
    ],    ],
    "​require_request_uri_registration"​ : "​false",​    "​require_request_uri_registration"​ : "​false",​
-   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​+   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​
 +   "​introspection_endpoint":​ "​http://​auth.example.com/​oauth2/​introspect",​ 
 +   "​introspection_endpoint_auth_methods_supported":​ [ 
 +     "​client_secret_post",​ 
 +     "​client_secret_basic"​ 
 +   ]
 } }
 </​file>​ </​file>​
Line 146: Line 154:
     * **Client ID**: Client ID for this RP     * **Client ID**: Client ID for this RP
     * **Client secret**: Client secret for this RP (can be use for symmetric signature)     * **Client secret**: Client secret for this RP (can be use for symmetric signature)
-    * **Public client**: set this RP as public client, so authentication is not needed on token endpoint +    * **Public client** ​(since version ''​2.0.4''​): set this RP as public client, so authentication is not needed on token endpoint 
-    * **Require PKCE**: a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) +    * **Require PKCE** ​(since version ''​2.0.4''​): a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) 
-  * **Display**:​ +   ​* **User attribute**:​ session field that will be used as main identifier (''​sub''​)
-    * **Display name**: Name of the RP application +
-    * **Logo**: Logo of the RP application +
-  ​* **User attribute**:​ session field that will be used as main identifier (''​sub''​)+
   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​
-  * **ID Token expiration**:​ Expiration time of ID Tokens +  * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour. 
-  * **Access token expiration**:​ Expiration time of Access Tokens+  * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims. 
 +  * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour. 
 +  * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute. 
 +  * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid. 
 +  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser. 
 +  * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.
   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP
   * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.   * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.
Line 161: Line 171:
  
 Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​ Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​
 +
 +=== Macros ===
 +
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
 +
 +=== Display ===
 +
 +  * **Display name**: Name of the RP application
 +  * **Logo**: Logo of the RP application