Fix typos in OIDC doc
This commit is contained in:
parent
edcbb25c4a
commit
01eb5eafa0
|
@ -105,11 +105,10 @@ In ``General Parameters`` > ``Authentication modules``, set:
|
|||
Then in ``General Parameters`` > ``Authentication modules`` >
|
||||
``OpenID Connect parameters``, you can set:
|
||||
|
||||
- **Authentication level**: level of authentication to associate to
|
||||
this module
|
||||
- **Callback GET parameter**: name of GET parameter used to intercept
|
||||
- **Authentication level**: Authentication level associated to this module
|
||||
- **Callback GET parameter**: Name of the GET parameter used for intercepting
|
||||
callback (default: openidconnectcallback)
|
||||
- **State session timeout**: duration of a state session (used to keep
|
||||
- **State session timeout**: Duration of a state session (used for keeping
|
||||
state information between authentication request and authentication
|
||||
response) in seconds (default: 600)
|
||||
|
||||
|
@ -119,7 +118,8 @@ Register LL::NG to an OpenID Connect Provider
|
|||
To register LL::NG, you will need to give some information like
|
||||
application name or logo.
|
||||
|
||||
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
|
||||
You will be asked to provide a *Redirect URI* for LL::NG, which is constructed
|
||||
by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
|
||||
|
||||
For example:
|
||||
|
||||
|
@ -139,8 +139,8 @@ Declare the OpenID Connect Provider in LL::NG
|
|||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
In the Manager, select node ``OpenID Connect Providers`` and click on
|
||||
``Add OpenID Connect Provider``. Give a technical name (no spaces, no
|
||||
special characters), like "sample-op";
|
||||
``Add OpenID Connect Provider``. Set a technical name (without space or
|
||||
special character) like "sample-op".
|
||||
|
||||
You can then access to the configuration of this OP.
|
||||
|
||||
|
@ -195,12 +195,10 @@ content of the JSON file in the textarea.
|
|||
Exported attributes
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Define here the mapping between the LL::NG session content and the
|
||||
fields provided in UserInfo response. The fields are defined in `OpenID
|
||||
Connect
|
||||
standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__,
|
||||
and depends on the scope requested by LL::NG (see options in next
|
||||
chapter).
|
||||
Define here mapping between LL::NG session content and fields
|
||||
provided in UserInfo endpoint response. The fields are defined in
|
||||
`OpenID Connect standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__,
|
||||
and depends on the scope requested by LL::NG (see options in next chapter).
|
||||
|
||||
So you can define for example:
|
||||
|
||||
|
|
|
@ -12,9 +12,9 @@ Presentation
|
|||
|
||||
LL::NG can act as an OpenID Connect Provider (OP). It will answer to
|
||||
OpenID Connect requests to give user identity (through ID Token) and
|
||||
information (through User Info end point).
|
||||
information (through UserInfo endpoint).
|
||||
|
||||
As an OP, LL::NG supports a lot of OpenID Connect features:
|
||||
As an OP, LL::NG supports many OpenID Connect features:
|
||||
|
||||
- Authorization Code, Implicit and Hybrid flows
|
||||
- Publication of JSON metadata and JWKS data (Discovery)
|
||||
|
@ -51,10 +51,10 @@ IssuerDB
|
|||
Go in ``General Parameters`` » ``Issuer modules`` » ``OpenID Connect``
|
||||
and configure:
|
||||
|
||||
- **Activation**: set to ``On``.
|
||||
- **Path**: keep ``^/oauth2/`` unless you need to use another path
|
||||
- **Use rule**: a rule to allow user to use this module, set to ``1``
|
||||
to always allow.
|
||||
- **Activation**: set to ``On``
|
||||
- **Path**: Keep ``^/oauth2/`` unless you need to use another path
|
||||
- **Use rule**: Rule to allow user to use this module, set to ``1``
|
||||
to always allow
|
||||
|
||||
|
||||
.. tip::
|
||||
|
@ -71,13 +71,13 @@ and configure:
|
|||
Configuration of LL::NG in Relying Party
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Each Relying Party has its own configuration way. LL::NG publish its
|
||||
OpenID Connect metadata to ease the configuration of client.
|
||||
Each Relying Party has its own configuration way. LL::NG exposes
|
||||
its OpenID Connect metadata to help clients configuration.
|
||||
|
||||
The metadata can be found at the standard "Well Known" URL:
|
||||
Metadata can be downloaded at the standard "Well Known" URL:
|
||||
http://auth.example.com/.well-known/openid-configuration
|
||||
|
||||
An example of its content:
|
||||
OIDC metadata example:
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
|
@ -162,14 +162,15 @@ Exported attributes
|
|||
|
||||
.. warning::
|
||||
|
||||
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__ are exposed to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it.
|
||||
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__
|
||||
are exposed to applications. If you want to add non-standard attributes, you have to create a new scope in the *Scope values content* section and your application must request it.
|
||||
|
||||
For each OpenID Connect attribute you want to release to applications, you can define:
|
||||
|
||||
* **Claim name**: the name of the attribute as it will appear in Userinfo responses
|
||||
* **Variable name**: the name of the LemonLDAP::NG session variable containing the attribute value
|
||||
* **Type**: the data type of the attribute. By default, a string. Choosing integer or boolean will make the attribute appear as the corresponding JSON type.
|
||||
* **Array**: choose how to process multi-valued attributes
|
||||
* **Claim name**: Name of the attribute as it will appear in Userinfo responses
|
||||
* **Variable name**: Name of the LemonLDAP::NG session variable containing the attribute value
|
||||
* **Type**: Attribute data type. By default, it is a string. Choosing integer or boolean will make the attribute appear as the corresponding JSON type.
|
||||
* **Array**: Select how multi-valued attributes are processed
|
||||
|
||||
* **Auto**: If the session key contains a single value, it will be released as a JSON number, string or boolean, depending on the previously specified type. If the session key contains multiple values, it will be released as an array of numbers, strings or booleans.
|
||||
* **Always**: Return an array even if the attribute only contains one value
|
||||
|
@ -178,8 +179,7 @@ For each OpenID Connect attribute you want to release to applications, you can d
|
|||
|
||||
.. attention::
|
||||
|
||||
The specific ``sub`` attribute is not defined here, but
|
||||
in User attribute parameter (see below).
|
||||
The specific ``sub`` attribute is not defined here, but in User attribute parameter (see below).
|
||||
|
||||
|
||||
.. _oidcextraclaims:
|
||||
|
@ -187,7 +187,7 @@ For each OpenID Connect attribute you want to release to applications, you can d
|
|||
Scope values content
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
By default, LemonLDAP::NG already defines the following scope-to-attribute map:
|
||||
By default, the following scope-to-attributes are mapped by LL::NG:
|
||||
|
||||
.. csv-table::
|
||||
:header: "Scope value", "Attribute list"
|
||||
|
@ -199,23 +199,21 @@ By default, LemonLDAP::NG already defines the following scope-to-attribute map:
|
|||
address; street_address locality region postal_code country
|
||||
phone; phone_number phone_number_verified
|
||||
|
||||
If you want to make custom attribute visible to OpenID Connect clients, you
|
||||
need to declare them in a new scope in this section.
|
||||
If you want to expose custom attributes to OpenID Connect clients,
|
||||
you have to declare them in a new scope in this section.
|
||||
|
||||
Add your additional scope as the **Key**, and a space-separated list of
|
||||
attribute as the **Value**:
|
||||
Add your additional scope as **Key**, and a space-separated list of
|
||||
attribute as **Value**:
|
||||
|
||||
- `employment_info` => `position company`
|
||||
|
||||
In this example, an OpenID Client asking for the ``employment_info`` scope will
|
||||
be able to read the ``company`` and ``position`` attribute from the
|
||||
Userinfo endpoint.
|
||||
In this example, an OpenID Client requesting for the ``employment_info`` scope will
|
||||
be able to read the ``company`` and ``position`` attribute from the UserInfo endpoint.
|
||||
|
||||
.. important::
|
||||
|
||||
Any attribute defined in this section must be mapped to a
|
||||
LemonLDAP::NG session variable in the **Exported Attributes**
|
||||
section
|
||||
LL::NG session variable in the **Exported Attributes** section
|
||||
|
||||
.. important::
|
||||
|
||||
|
@ -233,9 +231,9 @@ Scope Rules
|
|||
.. versionadded:: 2.0.12
|
||||
|
||||
|beta| This feature may change in a future version in a way that breaks
|
||||
compatibility with existing configuration
|
||||
compatibility with existing configuration.
|
||||
|
||||
By default, LemonLDAP::NG grants all scopes requested by the application, as
|
||||
By default, LL::NG grants all scopes requested by the application, as
|
||||
long as the user consents to them.
|
||||
|
||||
This configuration screen allows you to change that behavior by attaching
|
||||
|
@ -268,11 +266,11 @@ Options
|
|||
- **Basic**
|
||||
|
||||
- **Client ID**: Client ID for this RP
|
||||
- **Client secret**: Client secret for this RP (can be use for
|
||||
- **Client secret**: Client secret for this RP (can be used for
|
||||
symmetric signature)
|
||||
- **Public client** (since version ``2.0.4``): set this RP as public
|
||||
client, so authentication is not needed on token endpoint
|
||||
- **Redirection addresses**: Space separated list of redirect
|
||||
- **Public client** (since version ``2.0.4``): Set this RP as public
|
||||
client, so authentication is not needed on tokens endpoint
|
||||
- **Redirection addresses**: Space-separated list of redirect
|
||||
addresses allowed for this RP
|
||||
|
||||
- **Advanced**
|
||||
|
@ -284,22 +282,21 @@ Options
|
|||
- **User attribute**: Session field that will be used as main
|
||||
identifier (``sub``). Default value is ``whatToTrace``.
|
||||
- **Force claims to be returned in ID Token**: This options will
|
||||
make user attributes from the requested scope appear as ID Token
|
||||
claims.
|
||||
make user attributes from the requested scope appear as ID Token claims
|
||||
- **Use JWT format for Access Token** (since version ``2.0.12``): When
|
||||
using this option, Access Tokens will use the JWT format, which means they
|
||||
can be verified by external OAuth2.0 resource servers without using the
|
||||
introspection or userinfo endpoint.
|
||||
Introspection or UserInfo endpoint.
|
||||
- **Release claims in Access Token** (since version ``2.0.12``): If Access
|
||||
Tokens are in JWT format, this option lets you release the claims defined
|
||||
in the *Extra Claims* section inside the Access Token itself.
|
||||
in the *Extra Claims* section inside the Access Token itself
|
||||
- **Additional audiences** (since version ``2.0.8``): You can
|
||||
specify a space-separate list of audiences that will be added the
|
||||
audiences of the ID Token
|
||||
specify a space-separated list of audiences that will be added to the
|
||||
ID Token audiences
|
||||
- **Use refresh tokens** (since version ``2.0.7``): If this option
|
||||
is set, LemonLDAP::NG will issue a Refresh Token that can be used
|
||||
is enabled, LL::NG will issue a Refresh Token that can be used
|
||||
to obtain new access tokens as long as the user session is still
|
||||
valid.
|
||||
valid
|
||||
|
||||
- **Security**
|
||||
|
||||
|
@ -310,9 +307,8 @@ Options
|
|||
- **Userinfo response format** (since version ``2.0.12``): By default,
|
||||
UserInfo is returned as a simple JSON object. You can also choose to
|
||||
return it as a JWT, using one of the available signature algorithms.
|
||||
- **Require PKCE** (since version ``2.0.4``): a code challenge is
|
||||
required at token endpoint (see
|
||||
:rfc:`7636`)
|
||||
- **Require PKCE** (since version ``2.0.4``): A code challenge is
|
||||
required at Tokens endpoint (see :rfc:`7636`)
|
||||
- **Allow offline access** (since version ``2.0.7``): After enabling
|
||||
this feature, an application may request the **offline_access**
|
||||
scope, and will obtain a Refresh Token that persists even after
|
||||
|
@ -320,10 +316,13 @@ Options
|
|||
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
||||
for details. These offline sessions can be administered through
|
||||
the Session Browser.
|
||||
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the :ref:`Resource Owner Password Credentials Grant <resource-owner-password-grant>` by this client. This feature only works if you have configured a form-based authentication module.
|
||||
- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the :ref:`Client Credentials Grant <client-credentials-grant>` by this client.
|
||||
- **Authentication Level**: required authentication level to access this application
|
||||
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
|
||||
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of
|
||||
the :ref:`Resource Owner Password Credentials Grant <resource-owner-password-grant>` by this client.
|
||||
This feature only works if you have configured a form-based authentication module.
|
||||
- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the
|
||||
:ref:`Client Credentials Grant <client-credentials-grant>` by this client.
|
||||
- **Authentication Level**: Required authentication level to access this application
|
||||
- **Access Rule**: Lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
|
||||
|
||||
- **Timeouts**
|
||||
|
||||
|
@ -341,11 +340,11 @@ Options
|
|||
|
||||
- **Logout**
|
||||
|
||||
- **Allowed redirection addresses for logout**: A space separated list of
|
||||
- **Allowed redirection addresses for logout**: A space-separated list of
|
||||
URLs that this client can redirect the user to once the logout is done
|
||||
(through ``post_logout_redirect_uri``)
|
||||
- **URL**: Specify the relying party's logout URL
|
||||
- **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
|
||||
- **Type**: Type of logout to perform (only Front-Channel is implemented for now)
|
||||
- **Session required**: Whether to send the Session ID in the logout request
|
||||
|
||||
Access Rule extra variables
|
||||
|
|
|
@ -40,21 +40,21 @@ You can associate here an authentication context to an authentication level.
|
|||
Security
|
||||
~~~~~~~~
|
||||
|
||||
- **Keys**: Define public/private key pair to do asymmetric signature. A JWKS
|
||||
``kid`` (Key ID) is automatically derived when generating new keys.
|
||||
- **Keys**: Define public/private key pair for asymmetric signature. A JWKS
|
||||
``kid`` (Key ID) is automatically derived when new keys are generated.
|
||||
- **Dynamic Registration**: Set to 1 to allow clients to register
|
||||
themselves. This may be a security risk as this will create a new
|
||||
configuration in the backend per registration request. You can limit
|
||||
this by protecting in the WebServer the registration end point with
|
||||
this by protecting in the WebServer the registration endpoint with
|
||||
an authentication module, and give the credentials to clients.
|
||||
- **Only allow declared scopes**: By default, LemonLDAP::NG will grant all requested scopes. When this option is in use, LemonLDAP will only grant:
|
||||
- **Only allow declared scopes**: By default, LL::NG will grant all requested scopes.
|
||||
When this option is enabled, LL::NG will only grant:
|
||||
|
||||
- Standard OIDC scopes (``openid`` ``profile`` ``email`` ``address`` ``phone``)
|
||||
- Scopes declared in :ref:`Scope values content <oidcextraclaims>`
|
||||
- Scopes declared in :ref:`Scope Rules <oidcscoperules>` (if they match the rule)
|
||||
|
||||
- **Authorization Code flow**: Set to 1 to allow Authorization Code
|
||||
flow
|
||||
- **Authorization Code flow**: Set to 1 to allow Authorization Code flow
|
||||
- **Implicit flow**: Set to 1 to allow Implicit flow
|
||||
- **Hybrid flow**: Set to 1 to allow Hybrid flow
|
||||
|
||||
|
@ -66,8 +66,8 @@ Timeout
|
|||
authorization code. The default value is one minute.
|
||||
- **ID Token expiration**: Expiration time of ID Tokens. The default
|
||||
value is one hour.
|
||||
- **Access Token expiration**: Expiration time
|
||||
of Access Tokens. The default value is one hour.
|
||||
- **Access Token expiration**: Expiration time of Access Tokens.
|
||||
The default value is one hour.
|
||||
- **Offline session expiration**: This sets the lifetime of the
|
||||
refresh token obtained with the ``offline_access`` scope. The
|
||||
default value is one month.
|
||||
|
@ -76,7 +76,7 @@ Timeout
|
|||
Sessions
|
||||
~~~~~~~~
|
||||
|
||||
It is recommended to use a separate sessions storage for OpenID Connect
|
||||
Best pratice is to use a separate sessions storage for OpenID Connect
|
||||
sessions, else they will stored in the main sessions storage.
|
||||
|
||||
Dynamic Registration
|
||||
|
@ -105,7 +105,7 @@ run for example each week:
|
|||
|
||||
.. tip::
|
||||
|
||||
Set the correct Web server user, else generated configuration will
|
||||
Set the correct WebServer user, else generated configuration will
|
||||
not be readable by LL::NG.
|
||||
|
||||
Session management
|
||||
|
|
Loading…
Reference in New Issue