Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:idpopenidconnect [2019/11/04 11:16]
maxbes [Configuration of Relying Party in LL::NG] describe new refresh token options
documentation:latest:idpopenidconnect [2019/12/21 15:14] (current)
Line 154: Line 154:
   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​   * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​
   * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour.   * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour.
 +  * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims.
   * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour.   * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour.
   * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.   * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.
   * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.   * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.
-  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access* scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details.+  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser.
   * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.   * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.
   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP   * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP
Line 165: Line 166:
  
 Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​ Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​
 +
 +=== Macros ===
 +
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
  
 === Display === === Display ===