<divclass="noteclassic">OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: <ahref="http://openid.net/connect/"class="urlextern"title="http://openid.net/connect/"rel="nofollow">http://openid.net/connect/</a>.
</div>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.
</p>
<p>
As an RP, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Connect features:
<liclass="level1"><divclass="li"> ID Token validation</div>
</li>
<liclass="level1"><divclass="li"> Get UserInfo as JSON or as JWT</div>
</li>
<liclass="level1"><divclass="li"> Logout on EndSession end point</div>
</li>
</ul>
<p>
You can use this authentication module to link your <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:
<!-- EDIT4 TABLE [905-1106] --><divclass="noteimportant">OpenID-Connect specification isn't finished for logout propagation. So logout initiated by relaying-party will be forward to OpenID-Connect provider but logout initiated by the provider (or another RP) will not be propagated. LLNG will implement this when <abbrtitle="specification">spec</abbr> will be published.
<divclass="notetip">As passwords will not be managed by <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, you can disable <ahref="portalmenu.html#menu_modules"class="wikilink1"title="documentation:2.0:portalmenu">menu password module</a>.
</div>
<p>
Then in <code>General Parameters</code>><code>Authentication modules</code>><code>OpenID Connect parameters</code>, you can set:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Authentication level</strong>: level of authentication to associate to this module</div>
</li>
<liclass="level1"><divclass="li"><strong>Callback GET parameter</strong>: name of GET parameter used to intercept callback (default: openidconnectcallback)</div>
<liclass="level1"><divclass="li"><strong>State session timeout</strong>: duration of a state session (used to keep state information between authentication request and authentication response) in seconds (default: 600)</div>
<h3class="sectionedit8"id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
<divclass="level3">
<p>
To register <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, you will need to give some information like application name or logo. One of mandatory information is the redirect <abbrtitle="Uniform Resource Locator">URL</abbr> (one or many).
</p>
<p>
To know this information, just take the portal <abbrtitle="Uniform Resource Locator">URL</abbr> and the Callback GET parameter, for example:
<divclass="noteimportant">If you use the <ahref="authchoice.html"class="wikilink1"title="documentation:2.0:authchoice">choice backend</a>, you need to add the choice parameter in redirect <abbrtitle="Uniform Resource Locator">URL</abbr>
</div>
<p>
After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
<h3class="sectionedit9"id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
<divclass="level3">
<p>
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like “sample-op”;
</p>
<p>
You can then access to the configuration of this OP.
</p>
</div>
<h4id="metadata">Metadata</h4>
<divclass="level4">
<p>
The OP should publish its metadata in a JSON file (see for example <ahref="https://accounts.google.com/.well-known/openid-configuration"class="urlextern"title="https://accounts.google.com/.well-known/openid-configuration"rel="nofollow">Google metadata</a>). Copy the content of this file in the textarea.
</p>
<p>
If no metadata is available, you need to write them in the textarea. Mandatory fields are:
JWKS is a JSON file containing public keys. <abbrtitle="LemonLDAP::NG">LL::NG</abbr> can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.
</p>
<divclass="notetip">If the OpenID Connect provider only uses symmetric encryption, JWKS data is not useful.
Define here the mapping between the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> session content and the fields provided in UserInfo response. The fields are defined in <ahref="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims"class="urlextern"title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims"rel="nofollow">OpenID Connect standard</a>, and depends on the scope requested by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> (see options in next chapter).
<liclass="level2"><divclass="li"><strong>Configuration endpoint</strong>: <abbrtitle="Uniform Resource Locator">URL</abbr> of OP configuration endpoint</div>
</li>
<liclass="level2"><divclass="li"><strong>JWKS data timeout</strong>: After this time, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> will do a request to get a fresh version of JWKS data. Set to 0 to disable it.</div>
</li>
<liclass="level2"><divclass="li"><strong>Client ID</strong>: Client ID given by OP</div>
</li>
<liclass="level2"><divclass="li"><strong>Client secret</strong>: Client secret given by OP</div>
<liclass="level2"><divclass="li"><strong>Store ID token</strong>: Allows one to store the ID token (JWT) inside user session. Don't enable it unless you need to replay this token on an application, or if you need the id_token_hint parameter when using logout.</div>
<liclass="level2"><divclass="li"><strong>Scope</strong>: Value of scope parameter (example: openid profile). The <code>openid</code> scope is mandatory.</div>
</li>
<liclass="level2"><divclass="li"><strong>Display</strong>: Value of display parameter (example: page)</div>
</li>
<liclass="level2"><divclass="li"><strong>Prompt</strong>: Value of prompt parameter (example: consent)</div>
</li>
<liclass="level2"><divclass="li"><strong>Max age</strong>: Value of max_age parameter (example: 3600)</div>
</li>
<liclass="level2"><divclass="li"><strong>UI locales</strong>: Value of ui_locales parameter (example: en-<abbrtitle="Gigabyte">GB</abbr> en fr-FR fr)</div>
</li>
<liclass="level2"><divclass="li"><strong>ACR values</strong>: Value acr_values parameters (example: loa-1)</div>
</li>
<liclass="level2"><divclass="li"><strong>Token endpoint authentication method</strong>: Choice between <code>client_secret_post</code> and <code>client_secret_basic</code></div>
</li>
<liclass="level2"><divclass="li"><strong>Check JWT signature</strong>: Set to 0 to disable JWT signature checking</div>
</li>
<liclass="level2"><divclass="li"><strong>ID Token max age</strong>: If defined, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> will check the date of ID token and refuse it if it is too old</div>
</li>
<liclass="level2"><divclass="li"><strong>Use Nonce</strong>: If enabled, a nonce will be sent, and verified from the ID Token</div>