2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:idpopenidconnect< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "index,follow" / >
< meta name = "keywords" content = "documentation,2.0,idpopenidconnect" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "idpopenidconnect.html" / >
< link rel = "contents" href = "idpopenidconnect.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : i d p o p e n i d c o n n e c t " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration" > Configuration< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#openid_connect_service" > OpenID Connect Service< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#issuerdb" > IssuerDB< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_llng_in_relying_party" > Configuration of LL::NG in Relying Party< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_relying_party_in_llng" > Configuration of Relying Party in LL::NG< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#exported_attributes" > Exported attributes< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#options" > Options< / a > < / div > < / li >
2017-02-07 17:35:26 +01:00
< li class = "level3" > < div class = "li" > < a href = "#extra_claims" > Extra claims< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "openid_connect_provider" > OpenID Connect Provider< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "OpenID Connect Provider" [1 - 39] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< div class = "noteclassic" > OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: < a href = "http://openid.net/connect/" class = "urlextern" title = "http://openid.net/connect/" rel = "nofollow" > http://openid.net/connect/< / a > .
< / div >
< p >
< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > can act as an OpenID Connect Provider (OP). It will answer to OpenID Connect requests to give user identity (trough ID Token) and information (trough User Info end point).
< / p >
< p >
As an OP, < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > supports a lot of OpenID Connect features:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Authorization Code, Implicit and Hybrid flows< / div >
< / li >
< li class = "level1" > < div class = "li" > Publication of JSON metadata and JWKS data (Discovery)< / div >
< / li >
< li class = "level1" > < div class = "li" > < code > prompt< / code > , < code > display< / code > , < code > ui_locales< / code > , < code > max_age< / code > parameters< / div >
< / li >
< li class = "level1" > < div class = "li" > Extra claims definition< / div >
< / li >
< li class = "level1" > < div class = "li" > Authentication context Class References (ACR)< / div >
< / li >
< li class = "level1" > < div class = "li" > Nonce< / div >
< / li >
< li class = "level1" > < div class = "li" > Dynamic registration< / div >
< / li >
< li class = "level1" > < div class = "li" > Access Token Hash generation< / div >
< / li >
< li class = "level1" > < div class = "li" > ID Token signature (HS256/HS384/HS512/RS256/RS384/RS512)< / div >
< / li >
< li class = "level1" > < div class = "li" > UserInfo end point, as JSON or as JWT< / div >
< / li >
< li class = "level1" > < div class = "li" > Request and Request < abbr title = "Uniform Resource Identifier" > URI< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > Session management< / div >
< / li >
< / ul >
< / div >
<!-- EDIT2 SECTION "Presentation" [40 - 922] -->
< h2 class = "sectionedit3" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT3 SECTION "Configuration" [923 - 949] -->
< h3 class = "sectionedit4" id = "openid_connect_service" > OpenID Connect Service< / h3 >
< div class = "level3" >
< p >
See < a href = "openidconnectservice.html" class = "wikilink1" title = "documentation:2.0:openidconnectservice" > OpenID Connect service< / a > configuration chapter.
< / p >
< / div >
<!-- EDIT4 SECTION "OpenID Connect Service" [950 - 1059] -->
< h3 class = "sectionedit5" id = "issuerdb" > IssuerDB< / h3 >
< div class = "level3" >
< p >
Go in < code > General Parameters< / code > » < code > Issuer modules< / code > » < code > OpenID Connect< / code > and configure:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > Activation< / strong > : set to < code > On< / code > .< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Path< / strong > : keep < code > ^/oauth2/< / code > unless you need to use another path (in this case, you need to adapt Apache configuration)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Use rule< / strong > : a rule to allow user to use this module, set to < code > 1< / code > to always allow.< / div >
< / li >
< / ul >
< div class = "notetip" > For example, to allow only users with a strong authentication level:
< pre class = "code" > $authenticationLevel > 2< / pre >
< / div >
< / div >
<!-- EDIT5 SECTION "IssuerDB" [1060 - 1545] -->
< h3 class = "sectionedit6" id = "configuration_of_llng_in_relying_party" > Configuration of LL::NG in Relying Party< / h3 >
< div class = "level3" >
< p >
Each Relying Party has its own configuration way. < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > publish its OpenID Connect metadata to ease the configuration of client.
< / p >
< p >
The metadata can be found at the standard “Well Known” < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "http://auth.example.com/.well-known/openid-configuration" class = "urlextern" title = "http://auth.example.com/.well-known/openid-configuration" rel = "nofollow" > http://auth.example.com/.well-known/openid-configuration< / a >
< / p >
< p >
An example of its content:
< / p >
< pre class = "code file javascript" > < span class = "br0" > { < / span >
< span class = "st0" > " end_session_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/logout" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " jwks_uri" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/jwks" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " token_endpoint_auth_methods_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " client_secret_post" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " client_secret_basic" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " token_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " response_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " code" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code id_token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code token" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " code id_token token" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " userinfo_signing_alg_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " none" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS512" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS512" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " id_token_signing_alg_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " none" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " HS512" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS256" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS384" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " RS512" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " userinfo_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/userinfo" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " request_uri_parameter_supported" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " true" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " acr_values_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " loa-4" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-1" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-3" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-5" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " loa-2" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " request_parameter_supported" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " true" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " subject_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " public" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " issuer" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " grant_types_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " authorization_code" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " implicit" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " hybrid" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " authorization_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/authorize" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " check_session_iframe" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/checksession" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " scopes_supported" < / span > < span class = "sy0" > :< / span > < span class = "br0" > [ < / span >
< span class = "st0" > " openid" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " profile" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " email" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " address" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " phone" < / span >
< span class = "br0" > ] < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " require_request_uri_registration" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " false" < / span > < span class = "sy0" > ,< / span >
< span class = "st0" > " registration_endpoint" < / span > < span class = "sy0" > :< / span > < span class = "st0" > " http://auth.example.com/oauth2/register" < / span >
< span class = "br0" > } < / span > < / pre >
< / div >
<!-- EDIT6 SECTION "Configuration of LL::NG in Relying Party" [1546 - 3524] -->
< h3 class = "sectionedit7" id = "configuration_of_relying_party_in_llng" > Configuration of Relying Party in LL::NG< / h3 >
< div class = "level3" >
< p >
Go in Manager and click on < code > OpenID Connect Relying Parties< / code > , then click on < code > Add OpenID Relying Party< / code > . Give a technical name (no spaces, no special characters), like “sample-rp”;
< / p >
< p >
You can then access to the configuration of this RP.
< / p >
< / div >
< h4 id = "exported_attributes" > Exported attributes< / h4 >
< div class = "level4" >
< p >
You can map here the attribute names from the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > session to an < a href = "http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class = "urlextern" title = "http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel = "nofollow" > OpenID Connect claim< / a > .
< / p >
< / div >
<!-- EDIT8 PLUGIN_INCLUDE_START_NOREDIRECT "documentation:2.0:openidconnectclaims" [0 - ] --> < div class = "plugin_include_content plugin_include__documentation:2.0:openidconnectclaims" id = "plugin_include__documentation__2.0__openidconnectclaims" >
< div class = "level1" >
< div class = "table sectionedit10" > < table class = "inline table table-bordered table-striped" >
< thead >
< tr class = "row0 roweven" >
< th class = "col0" > Claim name < / th > < th class = "col1" > Type < / th > < th class = "col2" > Example of corresponding LDAP attribute < / th >
< / tr >
< / thead >
< tr class = "row1 rowodd" >
< td class = "col0" > sub < / td > < td class = "col1" > string < / td > < td class = "col2" > uid < / td >
< / tr >
< tr class = "row2 roweven" >
< td class = "col0" > name < / td > < td class = "col1" > string < / td > < td class = "col2" > cn < / td >
< / tr >
< tr class = "row3 rowodd" >
< td class = "col0" > given_name < / td > < td class = "col1" > string < / td > < td class = "col2" > givenName < / td >
< / tr >
< tr class = "row4 roweven" >
< td class = "col0" > family_name < / td > < td class = "col1" > string < / td > < td class = "col2" > sn < / td >
< / tr >
< tr class = "row5 rowodd" >
< td class = "col0" > middle_name < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row6 roweven" >
< td class = "col0" > nickname < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row7 rowodd" >
< td class = "col0" > preferred_username < / td > < td class = "col1" > string < / td > < td class = "col2" > displayName < / td >
< / tr >
< tr class = "row8 roweven" >
< td class = "col0" > profile < / td > < td class = "col1" > string < / td > < td class = "col2" > labeledURI < / td >
< / tr >
< tr class = "row9 rowodd" >
< td class = "col0" > picture < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row10 roweven" >
< td class = "col0" > website < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row11 rowodd" >
< td class = "col0" > email < / td > < td class = "col1" > string < / td > < td class = "col2" > mail < / td >
< / tr >
< tr class = "row12 roweven" >
< td class = "col0" > email_verified < / td > < td class = "col1" > boolean < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row13 rowodd" >
< td class = "col0" > gender < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row14 roweven" >
< td class = "col0" > birthdate < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row15 rowodd" >
< td class = "col0" > zoneinfo < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row16 roweven" >
< td class = "col0" > locale < / td > < td class = "col1" > string < / td > < td class = "col2" > preferredLanguage < / td >
< / tr >
< tr class = "row17 rowodd" >
< td class = "col0" > phone_number < / td > < td class = "col1" > string < / td > < td class = "col2" > telephoneNumber < / td >
< / tr >
< tr class = "row18 roweven" >
< td class = "col0" > phone_number_verified < / td > < td class = "col1" > boolean < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row19 rowodd" >
< td class = "col0" > updated_at < / td > < td class = "col1" > string < / td > < td class = "col2" > < / td >
< / tr >
< tr class = "row20 roweven" >
< td class = "col0" > formatted < / td > < td class = "col1" > string < / td > < td class = "col2" > registeredAddress < / td >
< / tr >
< tr class = "row21 rowodd" >
< td class = "col0" > street_address < / td > < td class = "col1" > string < / td > < td class = "col2" > street < / td >
< / tr >
< tr class = "row22 roweven" >
< td class = "col0" > locality < / td > < td class = "col1" > string < / td > < td class = "col2" > l < / td >
< / tr >
< tr class = "row23 rowodd" >
< td class = "col0" > region < / td > < td class = "col1" > string < / td > < td class = "col2" > st < / td >
< / tr >
< tr class = "row24 roweven" >
< td class = "col0" > postal_code < / td > < td class = "col1" > string < / td > < td class = "col2" > postalCode < / td >
< / tr >
< tr class = "row25 rowodd" >
< td class = "col0" > country < / td > < td class = "col1" > string < / td > < td class = "col2" > co < / td >
< / tr >
< / table > < / div >
<!-- EDIT10 TABLE [38 - 861] -->
< / div >
<!-- EDIT9 PLUGIN_INCLUDE_END "documentation:2.0:openidconnectclaims" [0 - ] --> < / div >
< div class = "level4" >
< p >
So you can define for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > name ⇒ cn< / div >
< / li >
< li class = "level1" > < div class = "li" > family_name ⇒ sn< / div >
< / li >
< li class = "level1" > < div class = "li" > email ⇒ mail< / div >
< / li >
< / ul >
< div class = "noteimportant" > The specific < code > sub< / code > attribute is not defined here, but in User attribute parameter (see below).
< / div >
< p >
You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > birthplace ⇒ l< / div >
< / li >
< li class = "level1" > < div class = "li" > birthcountry ⇒ co< / div >
< / li >
< / ul >
< / div >
< h4 id = "options" > Options< / h4 >
< div class = "level4" >
< ul >
< li class = "level1" > < div class = "li" > < strong > Authentication< / strong > :< / div >
< ul >
< li class = "level2" > < div class = "li" > < strong > Client ID< / strong > : Client ID for this RP< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Client secret< / strong > : Client secret for this RP (can be use for symmetric signature)< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < strong > Display< / strong > :< / div >
< ul >
< li class = "level2" > < div class = "li" > < strong > Display name< / strong > : Name of the RP application< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Logo< / strong > : Logo of the RP application< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < strong > User attribute< / strong > : session field that with be used as main identifier (< code > sub< / code > )< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ID Token signature algorithm< / strong > : Select one of < code > none< / code > , < code > HS256< / code > , < code > HS384< / code > , < code > HS512< / code > , < code > RS256< / code > , < code > RS384< / code > , < code > RS512< / code > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ID Token expiration< / strong > : Expiration time of ID Tokens< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Access token expiration< / strong > : Expiration time of Access Tokens< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Redirection addresses< / strong > : Space separated list of redirect addresses allowed for this RP< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Bypass consent< / strong > : Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is < strong > not< / strong > compliant with OpenID Connect standard.< / div >
< / li >
< / ul >
2017-02-07 17:35:26 +01:00
< / div >
< h4 id = "extra_claims" > Extra claims< / h4 >
< div class = "level4" >
< p >
Associate attributes to extra claims if the RP request them, for example < code > birth< / code > ⇒ < code > birthplace birthcountry< / code >
< / p >
2016-10-15 19:57:04 +02:00
< / div >
<!-- EDIT7 SECTION "Configuration of Relying Party in LL::NG" [3525 - ] --> < / div >
< / body >
< / html >