diff --git a/doc/sources/admin/authopenidconnect.rst b/doc/sources/admin/authopenidconnect.rst index 6a1d0449f..073b9e419 100644 --- a/doc/sources/admin/authopenidconnect.rst +++ b/doc/sources/admin/authopenidconnect.rst @@ -256,6 +256,4 @@ Options with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``. - Go to: - - ``General Parameters > Advanced Parameters > Security > SSL options for server requests`` \ No newline at end of file + Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests`` \ No newline at end of file diff --git a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst index 0daeed45c..0d4f4f770 100644 --- a/doc/sources/admin/idpopenidconnect.rst +++ b/doc/sources/admin/idpopenidconnect.rst @@ -162,7 +162,7 @@ Exported attributes .. warning:: - By default, only `standard OpenID Connect claims `__ are visible to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it + By default, only `standard OpenID Connect claims `__ are exposed to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it. For each OpenID Connect attribute you want to release to applications, you can define: @@ -281,8 +281,8 @@ Options sharing consent screen (consent will be accepted by default). Bypassing the consent is **not** compliant with OpenID Connect standard. - - **User attribute**: session field that will be used as main - identifier (``sub``) + - **User attribute**: Session field that will be used as main + identifier (``sub``). Default value is ``whatToTrace``. - **Force claims to be returned in ID Token**: This options will make user attributes from the requested scope appear as ID Token claims. diff --git a/doc/sources/admin/openidconnectservice.rst b/doc/sources/admin/openidconnectservice.rst index 5acfa2963..42ec6f700 100644 --- a/doc/sources/admin/openidconnectservice.rst +++ b/doc/sources/admin/openidconnectservice.rst @@ -35,13 +35,12 @@ values unless you have a specific need to change them. Authentication context ~~~~~~~~~~~~~~~~~~~~~~ -You can associate here an authentication context to an authentication -level. +You can associate here an authentication context to an authentication level. Security ~~~~~~~~ -- **Keys** : define public/private key pair to do asymmetric signature. A JWKS +- **Keys**: Define public/private key pair to do asymmetric signature. A JWKS ``kid`` (Key ID) is automatically derived when generating new keys. - **Dynamic Registration**: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new @@ -93,9 +92,8 @@ is registered through the ``/oauth2/register`` endpoint: Key rotation script ------------------- -OpenID Connect specification let the possibility to rotate keys to -improve security. LL::NG provide a script to do this, that should be put -in a cronjob. +OpenID Connect specifications allow to rotate keys to improve security. +LL::NG provides a script to do this, that should be used in a cronjob. The script is ``/usr/share/lemonldap-ng/bin/rotateOidcKeys``. It can be run for example each week: @@ -107,7 +105,7 @@ run for example each week: .. tip:: - Set the correct Apache user, else generated configuration will + Set the correct Web server user, else generated configuration will not be readable by LL::NG. Session management