dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix doc & typos

This commit is contained in:
Christophe Maudoux 2022-08-28 00:47:03 +02:00
parent 13120fd1e2
commit 4b99371853
7 changed files with 46 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/sources/admin/idpcas.rst
View File

@ -4,14 +4,12 @@ CAS server
Presentation Presentation
------------ ------------
LL::NG can be used as a CAS server. It can allow one to federate LL::NG LL::NG can be used as a CAS server. It can allow one to federate LL::NG with:
with:
- Another :doc:`CAS authentication<authcas>` LL::NG provider - Another :doc:`CAS authentication<authcas>` LL::NG provider
- Any CAS consumer - Any CAS consumer
LL::NG is compatible with the `CAS LL::NG is compatible with the `CAS protocol <https://apereo.github.io/cas/6.5.x/index.html>`__
protocol <https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html>`__
versions 1.0, 2.0 and part of 3.0 (attributes exchange). versions 1.0, 2.0 and part of 3.0 (attributes exchange).
Configuration Configuration
@ -20,8 +18,7 @@ Configuration
Enabling CAS Enabling CAS
~~~~~~~~~~~~ ~~~~~~~~~~~~
In the Manager, go in ``General Parameters`` » ``Issuer modules`` » In the Manager, go in ``General Parameters`` » ``Issuer modules`` » ``CAS`` and configure:
``CAS`` and configure:
- **Activation**: set to ``On``. - **Activation**: set to ``On``.
- **Path**: it is recommended to keep the default value (``^/cas/``) - **Path**: it is recommended to keep the default value (``^/cas/``)
@ -31,8 +28,7 @@ In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
.. tip:: .. tip::
For example, to allow only users with a strong authentication For example, to allow only users with a strong authentication level:
level:
:: ::

47
doc/sources/admin/idpopenidconnect.rst
View File

@ -265,12 +265,12 @@ Options
- **Basic** - **Basic**
- **Public client** (since version ``2.0.4``): Set this RP as public
client, so authentication is not needed on tokens endpoint
- **Client ID**: Client ID for this RP - **Client ID**: Client ID for this RP
- **Client secret**: Client secret for this RP (can be used for - **Client secret**: Client secret for this RP (can be used for
symmetric signature) symmetric signature)
- **Public client** (since version ``2.0.4``): Set this RP as public - **Allowed redirection addresses for login**: Space-separated list of redirect
client, so authentication is not needed on tokens endpoint
- **Redirection addresses**: Space-separated list of redirect
addresses allowed for this RP addresses allowed for this RP
- **Advanced** - **Advanced**
@ -279,8 +279,6 @@ Options
sharing consent screen (consent will be accepted by default). sharing consent screen (consent will be accepted by default).
Bypassing the consent is **not** compliant with OpenID Connect Bypassing the consent is **not** compliant with OpenID Connect
standard. standard.
- **User attribute**: Session field that will be used as main
identifier (``sub``). Default value is ``whatToTrace``.
- **Force claims to be returned in ID Token**: This options will - **Force claims to be returned in ID Token**: This options will
make user attributes from the requested scope appear as ID Token claims make user attributes from the requested scope appear as ID Token claims
- **Use JWT format for Access Token** (since version ``2.0.12``): When - **Use JWT format for Access Token** (since version ``2.0.12``): When
@ -290,13 +288,15 @@ Options
- **Release claims in Access Token** (since version ``2.0.12``): If Access - **Release claims in Access Token** (since version ``2.0.12``): If Access
Tokens are in JWT format, this option lets you release the claims defined Tokens are in JWT format, this option lets you release the claims defined
in the *Extra Claims* section inside the Access Token itself in the *Extra Claims* section inside the Access Token itself
- **Additional audiences** (since version ``2.0.8``): You can
specify a space-separated list of audiences that will be added to the
ID Token audiences
- **Use refresh tokens** (since version ``2.0.7``): If this option - **Use refresh tokens** (since version ``2.0.7``): If this option
is enabled, LL::NG will issue a Refresh Token that can be used is enabled, LL::NG will issue a Refresh Token that can be used
to obtain new access tokens as long as the user session is still to obtain new access tokens as long as the user session is still
valid valid
- **User attribute**: Session field that will be used as main
identifier (``sub``). Default value is ``whatToTrace``.
- **Additional audiences** (since version ``2.0.8``): You can
specify a space-separated list of audiences that will be added to the
ID Token audiences
- **Security** - **Security**
@ -321,40 +321,39 @@ Options
This feature only works if you have configured a form-based authentication module. This feature only works if you have configured a form-based authentication module.
- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the - **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the
:ref:`Client Credentials Grant <client-credentials-grant>` by this client. :ref:`Client Credentials Grant <client-credentials-grant>` by this client.
- **Authentication Level**: Required authentication level to access this application - **Authentication level**: Required authentication level to access this application
- **Access Rule**: Lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client - **Access rule**: Lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
- **Timeouts** - **Timeouts**
- **Authorization Code expiration**: Expiration time of - **Authorization Codes**: Expiration time of
authorization code, when using the Authorization Code flow. The Authorization Codes, when using the Authorization Code flow.
default value is one minute. Default value is one minute.
- **ID Token expiration**: Expiration time of ID Tokens. The default - **ID Tokens**: Expiration time of ID Tokens. Default
value is one hour. value is one hour.
- **Access token expiration**: Expiration time - **Access Tokens**: Expiration time
of Access Tokens. The default value is one hour. of Access Tokens. Default value is one hour.
- **Offline session expiration**: This sets the lifetime of the - **Offline sessions**: Lifetime of the
refresh token obtained with the **offline_access** scope. The refresh token obtained with the **offline_access** scope.
default value is one month. This parameter only applies if offline Default value is one month. This parameter only applies if offline
sessions are enabled. sessions are enabled.
- **Logout** - **Logout**
- **Bypass confirm**: Bypass logout confirmation when logout is initiated - **Bypass confirm**: Bypass logout confirmation when logout is initiated
by relaying party by relaying party
- **Session required**: Whether to send the Session ID in the logout request
- **Type**: Type of logout to perform (only Front-Channel is implemented for now)
- **URL**: Specify the relying party's logout URL
- **Allowed redirection addresses for logout**: A space-separated list of - **Allowed redirection addresses for logout**: A space-separated list of
URLs that this client can redirect the user to once the logout is done URLs that this client can redirect the user to once the logout is done
(through ``post_logout_redirect_uri``) (through ``post_logout_redirect_uri``)
- **URL**: Specify the relying party's logout URL
- **Type**: Type of logout to perform (only Front-Channel is implemented for now)
- **Session required**: Whether to send the Session ID in the logout request
Macros Macros
^^^^^^ ^^^^^^
You can define here macros that will be only evaluated for this service, You can define here macros that will be only evaluated for this service,
and not registered in the session of the user. and not registered in the user's session.
Display Display
^^^^^^^ ^^^^^^^

4
doc/sources/admin/idpsaml.rst
View File

@ -171,8 +171,8 @@ Security
NameID or Assertion). NameID or Assertion).
- **Enable use of IDP initiated URL**: set to ``On`` to enable IDP - **Enable use of IDP initiated URL**: set to ``On`` to enable IDP
Initiated URL on this SP. Initiated URL on this SP.
- **Authentication Level**: required authentication level to access this SP - **Authentication level**: required authentication level to access this SP
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this SP - **Access rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this SP
Extra variables Extra variables
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^

29
doc/sources/admin/testopenidconnect.rst
View File

@ -2,15 +2,14 @@ Test OpenID Connect with command line tools
=========================================== ===========================================
We present here how to test the OpenID Connect protocol (authorization code flow) with commande line tools, like `curl`. We present here how to test the OpenID Connect protocol (authorization code flow) with commande line tools, like `curl`.
We use in this example a public OIDC provider based on LL::NG: `<https://oidctest.wsweet.org>`_ We use in this example a public OIDC provider based on LL::NG: `<https://oidctest.wsweet.org>`_
Authentication Authentication
-------------- --------------
The first step is to obtain a valid SSO session on the portal. The standard solution is to use a web browser and log into the portal, then get the value of the SSO cookie. The first step is to obtain a valid SSO session on the portal. The standard solution is to use a web browser and log into the portal, then get the value of the SSO cookie.
In our case, to be able to use only command lines, we will use portal REST API (which requires to adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`). This should not be what you will on a production service. In our case, to be able to use only command lines, we will use portal REST API (which requires to adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`). This should not be what you want on a production service.
Example of REST service usage, with credentials `dwho`/`dwho`: Example of REST service usage, with credentials `dwho`/`dwho`:
@ -31,12 +30,12 @@ The session id is displayed in JSON response:
Authorization code Authorization code
------------------ ------------------
In the first step of authorization code flow, we request a temporary code, ont the `authorize` end point. In the first step of authorization code flow, we request a temporary code, on the `authorize` end point.
Parameters needed: Required parameters:
* SSO session id (will be passed in `lemonldap` cookie, adapt the name if needed) * SSO session id (will be passed in `lemonldap` cookie, adapt the name if needed)
* Client ID: given by your OIDC provider, we use here `private` * Client ID: given by your OIDC provider, we use here `private`
* Scope: depends on which information you need, we will use here `openid profile email` * Scope: depends on which information you want, we will use here `openid profile email`
* Redirect URI: shoud match the value registered in your OIDC provider, we will use here `http://localhost` * Redirect URI: shoud match the value registered in your OIDC provider, we will use here `http://localhost`
The OIDC provide will return the code in the location header, so we just output this reponse header: The OIDC provide will return the code in the location header, so we just output this reponse header:
@ -52,7 +51,7 @@ The value of the location header is:
location: http://localhost?code=294b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17&session_state=BpB8KRMBEDUs%2B7lAjsz4DRk3E0RJImxgUbMsCFFAUa8%3D.N3dVOFg3a2RpNXVJK3ltSldrYXZjUjhtU0tvd29sWkpuWWJJbll5ZGs5NzhZMnh5bmQwd0IxRmJVWUxJSTlkWDBnSWZ2SWFVZmU0UnRaMkVJVjNUY3c9PQ location: http://localhost?code=294b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17&session_state=BpB8KRMBEDUs%2B7lAjsz4DRk3E0RJImxgUbMsCFFAUa8%3D.N3dVOFg3a2RpNXVJK3ltSldrYXZjUjhtU0tvd29sWkpuWWJJbll5ZGs5NzhZMnh5bmQwd0IxRmJVWUxJSTlkWDBnSWZ2SWFVZmU0UnRaMkVJVjNUY3c9PQ
So we get the code value: `94b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17` So we get the code value: `294b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17`
This code has a short lifetime, we will use it to get access token and ID token in the next step This code has a short lifetime, we will use it to get access token and ID token in the next step
@ -64,7 +63,7 @@ In this step, we exchange the authorization code against tokens:
* ID token * ID token
* Refresh token (optional) * Refresh token (optional)
Parameters needed: Required parameters:
* Authorization code: see previous step * Authorization code: see previous step
* Grant type: we use here `authorization_code` * Grant type: we use here `authorization_code`
* Redirect URI: same value as the one used in the previous step * Redirect URI: same value as the one used in the previous step
@ -72,7 +71,7 @@ Parameters needed:
.. code-block:: shell .. code-block:: shell
curl -X POST -d grant_type=authorization_code -d 'redirect_uri=http://localhost' -d code=94b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17 -u 'private:tardis' 'https://oidctest.wsweet.org/oauth2/token' | json_pp curl -X POST -d grant_type=authorization_code -d 'redirect_uri=http://localhost' -d code=294b0facd91a0fa92762edc48d18369e99c330ba2b8fb05ab2c45999fcef6e17 -u 'private:tardis' 'https://oidctest.wsweet.org/oauth2/token' | json_pp
The JSON response looks like this: The JSON response looks like this:
@ -86,7 +85,7 @@ The JSON response looks like this:
"token_type" : "Bearer" "token_type" : "Bearer"
} }
The access token will be used for the last step, to get information about the user. The access token will be used for the last step, to retrieve information about the user.
The ID Token is a JWT (JSON Web Token) and can be parsed easily, as this is the concatenation of 3 JSON strings encoded in base 64: `base64(header).base64(payload).base64(signature)`. The ID Token is a JWT (JSON Web Token) and can be parsed easily, as this is the concatenation of 3 JSON strings encoded in base 64: `base64(header).base64(payload).base64(signature)`.
@ -113,7 +112,7 @@ User info
This step is optional and allows to fetch user information linked to scopes requested in the first step. This step is optional and allows to fetch user information linked to scopes requested in the first step.
Parameters needed: Required parameters:
* Access token, used as bearer authorization * Access token, used as bearer authorization
.. code-block:: shell .. code-block:: shell
@ -134,9 +133,9 @@ JSON response:
Introspection Introspection
------------- -------------
You can the validity of the access token with the introspection endpoint. You can test access token validity with the introspection endpoint.
Parameters needed: Required parameters:
* Client ID and Client Secret, used as basic authorization * Client ID and Client Secret, used as basic authorization
* Access token, sent as POST data * Access token, sent as POST data
@ -162,7 +161,7 @@ Refresh an access token
If the access token has expired, you can get a new one with the refresh token. If the access token has expired, you can get a new one with the refresh token.
Parameters needed: Required parameters:
* Grant type: we use here `refresh_token`, sent as POST data * Grant type: we use here `refresh_token`, sent as POST data
* Refresh token, sent as POST data * Refresh token, sent as POST data
* Client ID and Client Secret, used as basic authorization * Client ID and Client Secret, used as basic authorization
@ -187,7 +186,7 @@ Logout
To kill SSO session, call the OIDC logout endpoint. By default a confirmation is requested, but you can bypass it by adding `confirm=1` to URL. To kill SSO session, call the OIDC logout endpoint. By default a confirmation is requested, but you can bypass it by adding `confirm=1` to URL.
Parameters needed: Required parameters:
* SSO session id (will be passed in `lemonldap` cookie) * SSO session id (will be passed in `lemonldap` cookie)
.. code-block:: shell .. code-block:: shell

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build.pm
View File

@ -706,7 +706,7 @@ sub scanTree {
} }
# issue 2439 # issue 2439
# FIXME: in future versions, oidcOPMetaDataJSON and samlIDPMetaDataXML shoud # FIXME: in future versions, oidcOPMetaDataJSON and samlIDPMetaDataXML should
# behave the same # behave the same
if ( $leaf =~ /^oidcOPMetaData(?:JSON|JWKS)$/ ) { if ( $leaf =~ /^oidcOPMetaData(?:JSON|JWKS)$/ ) {
push @simpleHashKeys, $leaf; push @simpleHashKeys, $leaf;

2
lemonldap-ng-manager/site/htdocs/static/forms/samlService.html
View File

@ -2,7 +2,7 @@
<div class="panel-heading"> <div class="panel-heading">
<h3 class="panel-title">{{translateTitle(currentNode)}}</h3> <h3 class="panel-title">{{translateTitle(currentNode)}}</h3>
</div> </div>
<table class="table"> <table class="table table-striped">
<!-- Format --> <!-- Format -->
<tr> <tr>
<th><span trspan="format"></span></th> <th><span trspan="format"></span></th>

2
lemonldap-ng-manager/site/htdocs/static/forms/simpleInputContainer.html
View File

@ -81,7 +81,7 @@
</select> </select>
</td> </td>
<th ng-if="n.type&&n.type!='text'&&n.type!='longtext'&&n.type!='int'&&n.type!='bool'&&n.type!='trool'&&n.type!='boolOrExpr'&&n.type!='select'&&n.type!='password'"> <th ng-if="n.type&&n.type!='text'&&n.type!='longtext'&&n.type!='int'&&n.type!='bool'&&n.type!='trool'&&n.type!='boolOrExpr'&&n.type!='select'&&n.type!='password'">
ERROR, complex node inside. Don't use simpleInputContainer for {{currentNode.title}} ERROR, complex node inside. Do not use simpleInputContainer for {{currentNode.title}}
</th> </th>
</tr> </tr>
</tbody> </tbody>