Documentation for #2419

2021-02-01 17:00:54 +01:00 · 2021-02-01 17:00:54 +01:00 · 9d337abeb8
commit 9d337abeb8
parent 561c5972d1
2 changed files with 37 additions and 4 deletions
--- a/doc/sources/admin/hooks.rst
+++ b/doc/sources/admin/hooks.rst
@ -72,6 +72,30 @@ Sample code::
       return PE_OK;
   }

+oidcGenerateAccessToken
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 2.0.12
+
+This hook is triggered when LemonLDAP::NG is generating an JWT-formatted Access Token
+
+The hook's parameters are:
+
+* A hash of the claims to be contained in the Access Token
+* the configuration key of the relying party which will receive the token
+
+Sample code::
+
+   use constant hook => {
+       oidcGenerateAccessToken          => 'addClaimToAccessToken',
+   };
+
+   sub addClaimToAccessToken {
+       my ( $self, $req, $payload, $rp ) = @_;
+       $payload->{"access_token_hook"} = 1;
+       return PE_OK;
+   }
+

 oidcResolveScope
 ~~~~~~~~~~~~~~~~
--- a/doc/sources/admin/idpopenidconnect.rst
+++ b/doc/sources/admin/idpopenidconnect.rst
@ -275,6 +275,13 @@ Options
   -  **Force claims to be returned in ID Token**: This options will
      make user attributes from the requested scope appear as ID Token
      claims.
+   -  **Use JWT format for Access Token** (since version ``2.0.12``): When
+      using this option, Access Tokens will use the JWT format, which means they
+      can be verified by external OAuth2.0 resource servers without using the
+      introspection or userinfo endpoint.
+   -  **Release claims in Access Token** (since version ``2.0.12``): If Access
+      Tokens are in JWT format, this option lets you release the claims defined
+      in the *Extra Claims* section inside the Access Token itself.
   -  **Additional audiences** (since version ``2.0.8``): You can
      specify a space-separate list of audiences that will be added the
      audiences of the ID Token
@ -290,8 +297,8 @@ Options
      default value is one minute.
   -  **ID Token expiration**: Expiration time of ID Tokens. The default
      value is one hour.
-   -  **Access token expiration**: Expiration time of Access Tokens. The
-      default value is one hour.
+   -  **Access token expiration** (since version ``2.0.12``): Expiration time
+      of Access Tokens. The default value is one hour.
   -  **Offline session expiration**: This sets the lifetime of the
      refresh token obtained with the **offline_access** scope. The
      default value is one month. This parameter only applies if offline
@ -299,8 +306,10 @@ Options

 -  **Security**

-   -  **ID Token signature algorithm**: Select one of ``none``,
-      ``HS256``, ``HS384``, ``HS512``, ``RS256``, ``RS384``, ``RS512``
+   -  **ID Token signature algorithm**: Select one of the available public key
+      (RSXXX) or HMAC (HSXXX) based signature algorithms
+   -  **Access Token signature algorithm**: Select one of the available public
+      key signature algorithms
   -  **Require PKCE** (since version ``2.0.4``): a code challenge is
      required at token endpoint (see
      `RFC7636 <https://tools.ietf.org/html/rfc7636>`__)