Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
documentation:2.1:idpopenidconnect [2019/10/11 18:30]
maxbes [Presentation]
documentation:2.1:idpopenidconnect [2019/12/21 15:14]
coudot [Configuration of Relying Party in LL::NG]
Line 18: Line 18:
   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)
   * UserInfo endpoint, as JSON or as JWT   * UserInfo endpoint, as JSON or as JWT
-  * Introspection endpoint 
   * Request and Request URI   * Request and Request URI
   * Session management   * Session management
   * FrontChannel Logout   * FrontChannel Logout
   * BackChannel Logout   * BackChannel Logout
-  * PKCE+  * PKCE (Since ''​2.0.4''​) - See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]] 
 +  * Introspection endpoint (Since ''​2.0.6''​) - See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]] 
 +  * Offline access (Since ''​2.0.7''​) 
 +  * Refresh Tokens (Since ''​2.0.7''​)
 ===== Configuration ===== ===== Configuration =====
  
Line 115: Line 117:
    ],    ],
    "​require_request_uri_registration"​ : "​false",​    "​require_request_uri_registration"​ : "​false",​
-   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​+   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​
 +   "​introspection_endpoint":​ "​http://​auth.example.com/​oauth2/​introspect",​ 
 +   "​introspection_endpoint_auth_methods_supported":​ [ 
 +     "​client_secret_post",​ 
 +     "​client_secret_basic"​ 
 +   ]
 } }
 </​file>​ </​file>​
Line 147: Line 154:
     * **Client ID**: Client ID for this RP     * **Client ID**: Client ID for this RP
     * **Client secret**: Client secret for this RP (can be use for symmetric signature)     * **Client secret**: Client secret for this RP (can be use for symmetric signature)
-    * **Public client**: set this RP as public client, so authentication is not needed on token endpoint +    * **Public client** ​(since version ''​2.0.4''​): set this RP as public client, so authentication is not needed on token endpoint 
-    * **Require PKCE**: a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) +    * **Require PKCE** ​(since version ''​2.0.4''​): a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) 
-  * **Display**:​ +   ​* **User attribute**:​ session field that will be used as main identifier (''​sub''​)
-    * **Display name**: Name of the RP application +
-    * **Logo**: Logo of the RP application +
-  ​* **User attribute**:​ session field that will be used as main identifier (''​sub''​)+
   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​
-  * **ID Token expiration**:​ Expiration time of ID Tokens +  * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour. 
-  * **Access token expiration**:​ Expiration time of Access Tokens+  * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims. 
 +  * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour. 
 +  * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute. 
 +  * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid. 
 +  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser. 
 +  * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.
   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP
   * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.   * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.
Line 162: Line 171:
  
 Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​ Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​
 +
 +=== Macros ===
 +
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
 +
 +=== Display ===
 +
 +  * **Display name**: Name of the RP application
 +  * **Logo**: Logo of the RP application