Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in <ahref="configlocation.html#portal"class="wikilink1"title="documentation:2.0:configlocation">Apache portal configuration</a>:
<divclass="notetip">You need to uncomment rewrite rule on Authorization header if you only have CGI enabled in your Apache server.
</div>
</div>
<!-- EDIT3 SECTION "Apache" [80-735] -->
<h3class="sectionedit4"id="nginx">Nginx</h3>
<divclass="level3">
<p>
Be sure that OpenID Connect rewrite rules are activated <ahref="configlocation.html#portal1"class="wikilink1"title="documentation:2.0:configlocation">Nginx portal configuration</a>:
<liclass="level1"><divclass="li"><strong>Keys</strong> : define public/private key pair to do asymmetric signature</div>
</li>
<liclass="level1"><divclass="li"><strong>Signing Key ID</strong>: ID of signing key</div>
</li>
<liclass="level1"><divclass="li"><strong>Dynamic Registration</strong>: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.</div>
</li>
<liclass="level1"><divclass="li"><strong>Authorization Code flow</strong>: Set to 1 to allow Authorization Code flow</div>
</li>
<liclass="level1"><divclass="li"><strong>Implicit flow</strong>: Set to 1 to allow Implicit flow</div>
</li>
<liclass="level1"><divclass="li"><strong>Hybrid flow</strong>: Set to 1 to allow Hybrid flow</div>
OpenID Connect specification let the possibility to rotate keys to improve security. <abbrtitle="LemonLDAP::NG">LL::NG</abbr> provide a script to do this, that should be put in a cronjob.
</p>
<p>
The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be run for example each week:
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> implements the change notification as defined here: <ahref="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification"class="urlextern"title="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification"rel="nofollow">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a>
</p>
<p>
A <code>changed</code> state will be sent if the user is disconnected from <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal (or has destroyed its <abbrtitle="Single Sign On">SSO</abbr> cookie). Else the <code>unchanged</code> state will be returned.
</p>
<divclass="notetip">To work, the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).