Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:idpopenidconnect [2019/04/30 20:21]
maxbes [Configuration of Relying Party in LL::NG]
documentation:2.1:idpopenidconnect [2020/04/24 12:04] (current)
maxbes [Configuration of Relying Party in LL::NG]
Line 17: Line 17:
   * Access Token Hash generation   * Access Token Hash generation
   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)   * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)
-  * UserInfo ​end point, as JSON or as JWT+  * UserInfo ​endpoint, as JSON or as JWT
   * Request and Request URI   * Request and Request URI
   * Session management   * Session management
   * FrontChannel Logout   * FrontChannel Logout
   * BackChannel Logout   * BackChannel Logout
-  * PKCE+  * PKCE (Since ''​2.0.4''​) - See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]] 
 +  * Introspection endpoint (Since ''​2.0.6''​) - See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]] 
 +  * Offline access (Since ''​2.0.7''​) 
 +  * Refresh Tokens (Since ''​2.0.7''​)
 ===== Configuration ===== ===== Configuration =====
  
Line 114: Line 117:
    ],    ],
    "​require_request_uri_registration"​ : "​false",​    "​require_request_uri_registration"​ : "​false",​
-   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​+   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​
 +   "​introspection_endpoint":​ "​http://​auth.example.com/​oauth2/​introspect",​ 
 +   "​introspection_endpoint_auth_methods_supported":​ [ 
 +     "​client_secret_post",​ 
 +     "​client_secret_basic"​ 
 +   ]
 } }
 </​file>​ </​file>​
Line 120: Line 128:
 ==== Configuration of Relying Party in LL::NG ==== ==== Configuration of Relying Party in LL::NG ====
  
-Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical ​name (no spaces, no special characters),​ like “sample-rp”;​+Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical ​label (no spaces, no special characters),​ like “sample-rp”;​
  
 You can then access to the configuration of this RP.  You can then access to the configuration of this RP. 
Line 137: Line 145:
 <note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​ <note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​
  
-You can also define extra claims ​and link them to attributes (see below)Then you just have to define ​the mapping of this new attributesfor example+ 
-  * birthplace ​=> l +=== Extra Claims === 
-  birthcountry =co+ 
 +<note important>​By default, only claims ​that are part of standard OpenID Connect scopes will be sent to a clientIf you want to send a claim that is not in the OpenID Connect specificationyou need to declare it in the Extra Claims section</​note>​ 
 + 
 +If you want to make custom claims visible to OpenID Connect clients, you need to declare them in a scope. 
 + 
 +Add your additional scope as the **Key**, and a space-separated list of claims as the **Value**
 +  * timelord ​=> rebirth_count bloodline ​ 
 + 
 +In this example, an OpenID Client asking for the ''​timelord''​ scope will be able to read the ''​rebirth_count''​ and ''​bloodline''​ claims from the Userinfo endpoint. 
 + 
 +<note warning>​Any Claim defined in this section must be mapped to a LemonLDAP::​NG session attribute in the **Exported Attributes** section</​note>
  
 === Options === === Options ===
  
-  * **Authentication**:+  * **Basic**
     * **Client ID**: Client ID for this RP     * **Client ID**: Client ID for this RP
     * **Client secret**: Client secret for this RP (can be use for symmetric signature)     * **Client secret**: Client secret for this RP (can be use for symmetric signature)
-    * **Public client**: set this RP as public client, so authentication is not needed on token endpoint +    * **Public client** ​(since version ''​2.0.4''​): set this RP as public client, so authentication is not needed on token endpoint 
-    * **Require PKCE**: a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) +    * **Redirection addresses**: Space separated list of redirect addresses allowed for this RP 
-  * **Display**: + 
-    * **Display name**: Name of the RP application +  * **Advanced** 
-    ​* **Logo**: Logo of the RP application +    * **Bypass consent**: Enable if you never want to display ​the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard. 
-  * **User attribute**:​ session field that will be used as main identifier (''​sub''​) +    * **User attribute**:​ session field that will be used as main identifier (''​sub''​) 
-  * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​ +    * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims. 
-  * **ID Token expiration**: Expiration time of ID Tokens +    * **Additional audiences** (since version ''​2.0.8''​):​ You can specify a space-separate list of audiences that will be added the audiences of the ID Token 
-  * **Access ​token expiration**: Expiration time of Access Tokens +    * **Use refresh tokens** (since version ''​2.0.7''​):​ If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid. 
-  * **Redirection ​addresses**: ​Space separated list of redirect addresses allowed for this RP +  ​* **Timeouts** 
-  * **Bypass consent**: Enable if you never want to display ​the scope sharing consent screen ​(consent will be accepted by default). Bypassing the consent ​is **not** compliant with OpenID Connect standard.+    * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute. 
 +    * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour. 
 +    * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour. 
 +    * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled. 
 + 
 + 
 +  * **Security** 
 +    ​* **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​ 
 +    * **Require PKCE** (since version ''​2.0.4''​):​ a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) 
 +    * **Allow offline access** (since version ''​2.0.7''​):​ After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh ​Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser. 
 +     * **Allow OAuth2.0 Password Grant** (since version ''​2.0.8''​)Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module. 
 +     ​* **Access ​Rule**: lets you specify a [[rules_examples|Perl rule]] to restrict access to this client 
 +  * **Logout** 
 +    * **Allowed redirection ​addresses ​for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ''​post_logout_redirect_uri''​) 
 +    * **URL**: Specify ​the relying party'​s logout URL 
 +    * **Type**: Type of Logout to perform ​(only Front-Channel ​is implemented for now) 
 +    ​* **Session required**: Whether to send the Session ID in the logout request 
 + 
 +=== Macros === 
 + 
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
  
-=== Extra claims ​===+=== Display ​===
  
-Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​+  * **Display name**: Name of the RP application 
 +  * **Logo**: Logo of the RP application