Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
documentation:latest:idpopenidconnect [2019/04/30 20:21]
documentation:latest:idpopenidconnect [2019/12/21 15:14] (current)
Line 1: Line 1:
 +====== OpenID Connect Provider ======
  
 +===== Presentation =====
 +
 +<​note>​OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: [[http://​openid.net/​connect/​]].</​note>​
 +
 +LL::NG can act as an OpenID Connect Provider (OP). It will answer to OpenID Connect requests to give user identity (trough ID Token) and information (trough User Info end point).
 +
 +As an OP, LL::NG supports a lot of OpenID Connect features:
 +  * Authorization Code, Implicit and Hybrid flows
 +  * Publication of JSON metadata and JWKS data (Discovery)
 +  * ''​prompt'',​ ''​display'',​ ''​ui_locales'',​ ''​max_age''​ parameters
 +  * Extra claims definition
 +  * Authentication context Class References (ACR)
 +  * Nonce
 +  * Dynamic registration
 +  * Access Token Hash generation
 +  * ID Token signature (HS256/​HS384/​HS512/​RS256/​RS384/​RS512)
 +  * UserInfo endpoint, as JSON or as JWT
 +  * Request and Request URI
 +  * Session management
 +  * FrontChannel Logout
 +  * BackChannel Logout
 +  * PKCE (Since ''​2.0.4''​) - See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]]
 +  * Introspection endpoint (Since ''​2.0.6''​) - See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]]
 +  * Offline access (Since ''​2.0.7''​)
 +  * Refresh Tokens (Since ''​2.0.7''​)
 +===== Configuration =====
 +
 +==== OpenID Connect Service ====
 +
 +See [[openidconnectservice|OpenID Connect service]] configuration chapter.
 +
 +==== IssuerDB ====
 +
 +Go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​OpenID Connect''​ and configure:
 +  * **Activation**:​ set to ''​On''​.
 +  * **Path**: keep ''​^/​oauth2/''​ unless you need to use another path
 +  * **Use rule**: a rule to allow user to use this module, set to ''​1''​ to always allow.
 +
 +<note tip>
 +For example, to allow only users with a strong authentication level:
 +<​code>​
 +$authenticationLevel > 2
 +</​code>​
 +</​note>​
 +
 +==== Configuration of LL::NG in Relying Party ====
 +
 +Each Relying Party has its own configuration way. LL::NG publish its OpenID Connect metadata to ease the configuration of client.
 +
 +The metadata can be found at the standard "Well Known" URL: [[http://​auth.example.com/​.well-known/​openid-configuration]]
 +
 +An example of its content:
 +<file javascript>​
 +{
 +   "​end_session_endpoint"​ : "​http://​auth.example.com/​oauth2/​logout",​
 +   "​jwks_uri"​ : "​http://​auth.example.com/​oauth2/​jwks",​
 +   "​token_endpoint_auth_methods_supported"​ : [
 +      "​client_secret_post",​
 +      "​client_secret_basic"​
 +   ],
 +   "​token_endpoint"​ : "​http://​auth.example.com/​oauth2/​token",​
 +   "​response_types_supported"​ : [
 +      "​code",​
 +      "​id_token",​
 +      "​id_token token",​
 +      "code id_token",​
 +      "code token",​
 +      "code id_token token"
 +   ],
 +   "​userinfo_signing_alg_values_supported"​ : [
 +      "​none",​
 +      "​HS256",​
 +      "​HS384",​
 +      "​HS512",​
 +      "​RS256",​
 +      "​RS384",​
 +      "​RS512"​
 +   ],
 +   "​id_token_signing_alg_values_supported"​ : [
 +      "​none",​
 +      "​HS256",​
 +      "​HS384",​
 +      "​HS512",​
 +      "​RS256",​
 +      "​RS384",​
 +      "​RS512"​
 +   ],
 +   "​userinfo_endpoint"​ : "​http://​auth.example.com/​oauth2/​userinfo",​
 +   "​request_uri_parameter_supported"​ : "​true",​
 +   "​acr_values_supported"​ : [
 +      "​loa-4",​
 +      "​loa-1",​
 +      "​loa-3",​
 +      "​loa-5",​
 +      "​loa-2"​
 +   ],
 +   "​request_parameter_supported"​ : "​true",​
 +   "​subject_types_supported"​ : [
 +      "​public"​
 +   ],
 +   "​issuer"​ : "​http://​auth.example.com/",​
 +   "​grant_types_supported"​ : [
 +      "​authorization_code",​
 +      "​implicit",​
 +      "​hybrid"​
 +   ],
 +   "​authorization_endpoint"​ : "​http://​auth.example.com/​oauth2/​authorize",​
 +   "​check_session_iframe"​ : "​http://​auth.example.com/​oauth2/​checksession",​
 +   "​scopes_supported"​ : [
 +      "​openid",​
 +      "​profile",​
 +      "​email",​
 +      "​address",​
 +      "​phone"​
 +   ],
 +   "​require_request_uri_registration"​ : "​false",​
 +   "​registration_endpoint"​ : "​http://​auth.example.com/​oauth2/​register"​
 +}
 +</​file>​
 +
 +==== Configuration of Relying Party in LL::NG ====
 +
 +Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical name (no spaces, no special characters),​ like “sample-rp”;​
 +
 +You can then access to the configuration of this RP. 
 +
 +=== Exported attributes ===
 +
 +You can map here the attribute names from the LL::NG session to an [[http://​openid.net/​specs/​openid-connect-core-1_0.html#​StandardClaims|OpenID Connect claim]]. ​
 +
 +{{section>​openidconnectclaims&​noheader}}
 +
 +So you can define for example:
 +  * name => cn
 +  * family_name => sn
 +  * email => mail
 +
 +<note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​
 +
 +You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example:
 +  * birthplace => l
 +  * birthcountry => co
 +
 +=== Options ===
 +
 +  * **Authentication**:​
 +    * **Client ID**: Client ID for this RP
 +    * **Client secret**: Client secret for this RP (can be use for symmetric signature)
 +    * **Public client** (since version ''​2.0.4''​):​ set this RP as public client, so authentication is not needed on token endpoint
 +    * **Require PKCE** (since version ''​2.0.4''​):​ a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]])
 +   * **User attribute**:​ session field that will be used as main identifier (''​sub''​)
 +  * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​
 +  * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour.
 +  * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims.
 +  * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour.
 +  * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.
 +  * **Use refresh tokens**: If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.
 +  * **Allow offline access**: After enabling this feature, an application may request the  **offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through the Session Browser.
 +  * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.
 +  * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP
 +  * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.
 +
 +=== Extra claims ===
 +
 +Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​
 +
 +=== Macros ===
 +
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
 +
 +=== Display ===
 +
 +  * **Display name**: Name of the RP application
 +  * **Logo**: Logo of the RP application