Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:idpopenidconnect [2019/11/04 11:20]
127.0.0.1 external edit
documentation:latest:idpopenidconnect [2019/12/21 15:14]
Line 1: Line 1:
-====== OpenID Connect Provider ====== 
  
-===== Presentation ===== 
- 
-<​note>​OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: [[http://​openid.net/​connect/​]].</​note>​ 
- 
-LL::NG can act as an OpenID Connect Provider (OP). It will answer to OpenID Connect requests to give user identity (trough ID Token) and information (trough User Info end point). 
- 
-As an OP, LL::NG supports a lot of OpenID Connect features: 
-  * Authorization Code, Implicit and Hybrid flows 
-  * Publication of JSON metadata and JWKS data (Discovery) 
-  * ''​prompt'',​ ''​display'',​ ''​ui_locales'',​ ''​max_age''​ parameters 
-  * Extra claims definition 
-  * Authentication context Class References (ACR) 
-  * Nonce 
-  * Dynamic registration 
-  * Access Token Hash generation 
-  * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512) 
-  * UserInfo endpoint, as JSON or as JWT 
-  * Request and Request URI 
-  * Session management 
-  * FrontChannel Logout 
-  * BackChannel Logout 
-  * PKCE (Since ''​2.0.4''​) - See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]] 
-  * Introspection endpoint (Since ''​2.0.6''​) - See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]] 
-  * Offline access (Since ''​2.0.7''​) 
-  * Refresh Tokens (Since ''​2.0.7''​) 
-===== Configuration ===== 
- 
-==== OpenID Connect Service ==== 
- 
-See [[openidconnectservice|OpenID Connect service]] configuration chapter. 
- 
-==== IssuerDB ==== 
- 
-Go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​OpenID Connect''​ and configure: 
-  * **Activation**:​ set to ''​On''​. 
-  * **Path**: keep ''​^/​oauth2/''​ unless you need to use another path 
-  * **Use rule**: a rule to allow user to use this module, set to ''​1''​ to always allow. 
- 
-<note tip> 
-For example, to allow only users with a strong authentication level: 
-<​code>​ 
-$authenticationLevel > 2 
-</​code>​ 
-</​note>​ 
- 
-==== Configuration of LL::NG in Relying Party ==== 
- 
-Each Relying Party has its own configuration way. LL::NG publish its OpenID Connect metadata to ease the configuration of client. 
- 
-The metadata can be found at the standard "Well Known" URL: [[http://​auth.example.com/​.well-known/​openid-configuration]] 
- 
-An example of its content: 
-<file javascript>​ 
-{ 
-   "​end_session_endpoint"​ : "​http://​auth.example.com/​oauth2/​logout",​ 
-   "​jwks_uri"​ : "​http://​auth.example.com/​oauth2/​jwks",​ 
-   "​token_endpoint_auth_methods_supported"​ : [ 
-      "​client_secret_post",​ 
-      "​client_secret_basic"​ 
-   ], 
-   "​token_endpoint"​ : "​http://​auth.example.com/​oauth2/​token",​ 
-   "​response_types_supported"​ : [ 
-      "​code",​ 
-      "​id_token",​ 
-      "​id_token token",​ 
-      "code id_token",​ 
-      "code token",​ 
-      "code id_token token" 
-   ], 
-   "​userinfo_signing_alg_values_supported"​ : [ 
-      "​none",​ 
-      "​HS256",​ 
-      "​HS384",​ 
-      "​HS512",​ 
-      "​RS256",​ 
-      "​RS384",​ 
-      "​RS512"​ 
-   ], 
-   "​id_token_signing_alg_values_supported"​ : [ 
-      "​none",​ 
-      "​HS256",​ 
-      "​HS384",​ 
-      "​HS512",​ 
-      "​RS256",​ 
-      "​RS384",​ 
-      "​RS512"​ 
-   ], 
-   "​userinfo_endpoint"​ : "​http://​auth.example.com/​oauth2/​userinfo",​ 
-   "​request_uri_parameter_supported"​ : "​true",​ 
-   "​acr_values_supported"​ : [ 
-      "​loa-4",​ 
-      "​loa-1",​ 
-      "​loa-3",​ 
-      "​loa-5",​ 
-      "​loa-2"​ 
-   ], 
-   "​request_parameter_supported"​ : "​true",​ 
-   "​subject_types_supported"​ : [ 
-      "​public"​ 
-   ], 
-   "​issuer"​ : "​http://​auth.example.com/",​ 
-   "​grant_types_supported"​ : [ 
-      "​authorization_code",​ 
-      "​implicit",​ 
-      "​hybrid"​ 
-   ], 
-   "​authorization_endpoint"​ : "​http://​auth.example.com/​oauth2/​authorize",​ 
-   "​check_session_iframe"​ : "​http://​auth.example.com/​oauth2/​checksession",​ 
-   "​scopes_supported"​ : [ 
-      "​openid",​ 
-      "​profile",​ 
-      "​email",​ 
-      "​address",​ 
-      "​phone"​ 
-   ], 
-   "​require_request_uri_registration"​ : "​false",​ 
-   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​ 
-} 
-</​file>​ 
- 
-==== Configuration of Relying Party in LL::NG ==== 
- 
-Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical name (no spaces, no special characters),​ like “sample-rp”;​ 
- 
-You can then access to the configuration of this RP.  
- 
-=== Exported attributes === 
- 
-You can map here the attribute names from the LL::NG session to an [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​StandardClaims|OpenID Connect claim]]. ​ 
- 
-{{section>​openidconnectclaims&​noheader}} 
- 
-So you can define for example: 
-  * name => cn 
-  * family_name => sn 
-  * email => mail 
- 
-<note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​ 
- 
-You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example: 
-  * birthplace => l 
-  * birthcountry => co 
- 
-=== Options === 
- 
-  * **Authentication**:​ 
-    * **Client ID**: Client ID for this RP 
-    * **Client secret**: Client secret for this RP (can be use for symmetric signature) 
-    * **Public client** (since version ''​2.0.4''​):​ set this RP as public client, so authentication is not needed on token endpoint 
-    * **Require PKCE** (since version ''​2.0.4''​):​ a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]]) 
-   * **User attribute**:​ session field that will be used as main identifier (''​sub''​) 
-  * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​ 
-  * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour. 
-  * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour. 
-  * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute. 
-  * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid. 
-  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser. 
-  * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled. 
-  * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP 
-  * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard. 
- 
-=== Extra claims === 
- 
-Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​ 
- 
-=== Display === 
- 
-  * **Display name**: Name of the RP application 
-  * **Logo**: Logo of the RP application