Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:idpopenidconnect [2019/10/11 18:30]
127.0.0.1 external edit
documentation:latest:idpopenidconnect [2020/04/24 12:03] (current)
maxbes [Configuration of Relying Party in LL::NG]
Line 22: Line 22:
   * FrontChannel Logout   * FrontChannel Logout
   * BackChannel Logout   * BackChannel Logout
-  * PKCE (Since ''​2.0.4''​) +  * PKCE (Since ''​2.0.4''​) ​- See [[https://​tools.ietf.org/​html/​rfc7636|RFC 7636]] 
-  * Introspection endpoint (Since ''​2.0.6''​) +  * Introspection endpoint (Since ''​2.0.6''​) ​- See [[https://​tools.ietf.org/​html/​rfc7662|RFC 7662]] 
 +  * Offline access (Since ''​2.0.7''​) 
 +  * Refresh Tokens (Since ''​2.0.7''​)
 ===== Configuration ===== ===== Configuration =====
  
Line 122: Line 123:
 ==== Configuration of Relying Party in LL::NG ==== ==== Configuration of Relying Party in LL::NG ====
  
-Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical ​name (no spaces, no special characters),​ like “sample-rp”;​+Go in Manager and click on ''​OpenID Connect Relying Parties'',​ then click on ''​Add OpenID Relying Party''​. Give a technical ​label (no spaces, no special characters),​ like “sample-rp”;​
  
 You can then access to the configuration of this RP.  You can then access to the configuration of this RP. 
Line 139: Line 140:
 <note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​ <note important>​The specific ''​sub''​ attribute is not defined here, but in User attribute parameter (see below).</​note>​
  
-You can also define extra claims ​and link them to attributes (see below)Then you just have to define ​the mapping of this new attributesfor example+ 
-  * birthplace ​=> l +=== Extra Claims === 
-  birthcountry =co+ 
 +<note important>​By default, only claims ​that are part of standard OpenID Connect scopes will be sent to a clientIf you want to send a claim that is not in the OpenID Connect specificationyou need to declare it in the Extra Claims section</​note>​ 
 + 
 +If you want to make custom claims visible to OpenID Connect clients, you need to declare them in a scope. 
 + 
 +Add your additional scope as the **Key**, and a space-separated list of claims as the **Value**
 +  * timelord ​=> rebirth_count bloodline ​ 
 + 
 +In this example, an OpenID Client asking for the ''​timelord''​ scope will be able to read the ''​rebirth_count''​ and ''​bloodline''​ claims from the Userinfo endpoint. 
 + 
 +<note warning>​Any Claim defined in this section must be mapped to a LemonLDAP::​NG session attribute in the **Exported Attributes** section</​note>
  
 === Options === === Options ===
  
-  * **Authentication**:+  * **Basic**
     * **Client ID**: Client ID for this RP     * **Client ID**: Client ID for this RP
     * **Client secret**: Client secret for this RP (can be use for symmetric signature)     * **Client secret**: Client secret for this RP (can be use for symmetric signature)
     * **Public client** (since version ''​2.0.4''​):​ set this RP as public client, so authentication is not needed on token endpoint     * **Public client** (since version ''​2.0.4''​):​ set this RP as public client, so authentication is not needed on token endpoint
 +    * **Redirection addresses**:​ Space separated list of redirect addresses allowed for this RP
 +
 +  * **Advanced**
 +    * **Bypass consent**: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.
 +    * **User attribute**:​ session field that will be used as main identifier (''​sub''​)
 +    * **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims.
 +    * **Additional audiences** (since version ''​2.0.8''​):​ You can specify a space-separate list of audiences that will be added the audiences of the ID Token
 +    * **Use refresh tokens** (since version ''​2.0.7''​):​ If this option is set, LemonLDAP::​NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.
 +  * **Timeouts**
 +    * **Authorization Code expiration**:​ Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.
 +    * **ID Token expiration**:​ Expiration time of ID Tokens. The default value is one hour.
 +    * **Access token expiration**:​ Expiration time of Access Tokens. The default value is one hour.
 +    * **Offline session expiration**:​ This sets the lifetime of the refresh token obtained with the **offline_access** scope. The default value is one month. This parameter only applies if offline sessions are enabled.
 +
 +
 +  * **Security**
 +    * **ID Token signature algorithm**:​ Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​
     * **Require PKCE** (since version ''​2.0.4''​):​ a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]])     * **Require PKCE** (since version ''​2.0.4''​):​ a code challenge is required at token endpoint (see [[https://​tools.ietf.org/​html/​rfc7636|RFC7636]])
-  ​* **Display**: +    ​* **Allow offline access** (since version ''​2.0.7''​)After enabling this feature, an application may request the  ​**offline_access** scope, and will obtain a Refresh Token that persists even after the user has logged off. See [[https://​openid.net/​specs/​openid-connect-core-1_0.html#​OfflineAccess]] for details. These offline sessions can be administered through ​the Session Browser. 
-    ​* **Display name**: Name of the RP application +     ​* **Allow OAuth2.0 Password Grant** (since version ''​2.0.8''​)Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module. 
-    * **Logo**: Logo of the RP application +     ​* **Access Rule**: lets you specify a [[rules_examples|Perl rule]] to restrict access to this client 
-  * **User attribute**: session field that will be used as main identifier (''​sub''​) +  * **Logout** 
-  * **ID Token signature algorithm**: Select one of ''​none'',​ ''​HS256'',​ ''​HS384'',​ ''​HS512'',​ ''​RS256'',​ ''​RS384'',​ ''​RS512''​ +    * **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ''​post_logout_redirect_uri''​) 
-  * **ID Token expiration**: Expiration time of ID Tokens +    * **URL**: Specify the relying party'​s logout URL 
-  * **Access token expiration**: Expiration time of Access Tokens +    * **Type**: Type of Logout to perform (only Front-Channel is implemented ​for now) 
-  * **Redirection addresses**: Space separated list of redirect addresses allowed ​for this RP +    * **Session required**: Whether ​to send the Session ID in the logout request 
-  * **Bypass consent**: Enable if you never want to display ​the scope sharing consent screen (consent ​will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard.+ 
 +=== Macros === 
 + 
 +You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
  
-=== Extra claims ​===+=== Display ​===
  
-Associate attributes to extra claims if the RP request them, for example ''​birth''​ => ''​birthplace birthcountry''​+  * **Display name**: Name of the RP application 
 +  * **Logo**: Logo of the RP application