OpenID Connect Provider

Présentation

OpenID Connect est un protocole basé sur les piles REST, OAuth 2.0 et JOSE. Il est décrit ici : http://openid.net/connect/.

LL::NG can act as an OpenID Connect Provider (OP). It will answer to OpenID Connect requests to give user identity (trough ID Token) and information (trough User Info end point).

As an OP, LL::NG supports a lot of OpenID Connect features:

Authorization Code, Implicit and Hybrid flows
Publication of JSON metadata and JWKS data (Discovery)
prompt, display, ui_locales, max_age parameters
Extra claims definition
Authentication context Class References (ACR)
Nonce
Dynamic registration
Access Token Hash generation
ID Token signature (HS256/HS384/HS512/RS256/RS384/RS512)
UserInfo end point, as JSON or as JWT
Request and Request URI
Session management

Configuration

Service OpenID-Connect

See OpenID Connect service configuration chapter.

IssuerDB

Go in General Parameters » Issuer modules » OpenID Connect and configure:

Activation : mettre à Activé.
Path: keep ^/oauth2/ unless you need to use another path (in this case, you need to adapt Apache configuration)
Règle d'utilisation : une règle pour autoriser l'usage de ce module, mettre 1 pour toujours l'autoriser.

Par exemple, pour n'autoriser que les utilisateurs authentifiés fortement :

$authenticationLevel > 2

Configuration of LL::NG in Relying Party

Each Relying Party has its own configuration way. LL::NG publish its OpenID Connect metadata to ease the configuration of client.

The metadata can be found at the standard “Well Known” URL: http://auth.example.com/.well-known/openid-configuration

An example of its content:

{
   "end_session_endpoint" : "http://auth.example.com/oauth2/logout",
   "jwks_uri" : "http://auth.example.com/oauth2/jwks",
   "token_endpoint_auth_methods_supported" : [
      "client_secret_post",
      "client_secret_basic"
   ],
   "token_endpoint" : "http://auth.example.com/oauth2/token",
   "response_types_supported" : [
      "code",
      "id_token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "userinfo_signing_alg_values_supported" : [
      "none",
      "HS256",
      "HS384",
      "HS512",
      "RS256",
      "RS384",
      "RS512"
   ],
   "id_token_signing_alg_values_supported" : [
      "none",
      "HS256",
      "HS384",
      "HS512",
      "RS256",
      "RS384",
      "RS512"
   ],
   "userinfo_endpoint" : "http://auth.example.com/oauth2/userinfo",
   "request_uri_parameter_supported" : "true",
   "acr_values_supported" : [
      "loa-4",
      "loa-1",
      "loa-3",
      "loa-5",
      "loa-2"
   ],
   "request_parameter_supported" : "true",
   "subject_types_supported" : [
      "public"
   ],
   "issuer" : "http://auth.example.com/",
   "grant_types_supported" : [
      "authorization_code",
      "implicit",
      "hybrid"
   ],
   "authorization_endpoint" : "http://auth.example.com/oauth2/authorize",
   "check_session_iframe" : "http://auth.example.com/oauth2/checksession",
   "scopes_supported" : [
      "openid",
      "profile",
      "email",
      "address",
      "phone"
   ],
   "require_request_uri_registration" : "false",
   "registration_endpoint" : "http://auth.example.com/oauth2/register"
}

Configuration of Relying Party in LL::NG

Go in Manager and click on OpenID Connect Relying Parties, then click on Add OpenID Relying Party. Give a technical name (no spaces, no special characters), like “sample-rp”;

You can then access to the configuration of this RP.

Attributs exportés

You can map here the attribute names from the LL::NG session to an OpenID Connect claim.

Nom affiché	Type	Exemple de correspondance d'attributs LDAP
sub	chaîne	uid
nom	chaîne	cn
given_name	chaîne	givenName
family_name	chaîne	sn
middle_name	chaîne
nickname	chaîne
preferred_username	chaîne	displayName
profile	chaîne	labeledURI
picture	chaîne
website	chaîne
email	chaîne	mail
email_verified	boolean
gender	chaîne
birthdate	chaîne
zoneinfo	chaîne
locale	chaîne	preferredLanguage
phone_number	chaîne	telephoneNumber
phone_number_verified	boolean
updated_at	chaîne
formatted	chaîne	registeredAddress
street_address	chaîne	street
locality	chaîne	l
region	chaîne	st
postal_code	chaîne	postalCode
country	chaîne	co

Ainsi on peut définir par exemple:

name ⇒ cn
family_name ⇒ sn
email ⇒ mail

The specific sub attribute is not defined here, but in User attribute parameter (see below).

You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example:

birthplace ⇒ l
birthcountry ⇒ co

Options

Authentication:
- Client ID: Client ID for this RP
- Client secret: Client secret for this RP (can be use for symmetric signature)
Affichage :
- Display name: Name of the RP application
- Logo: Logo of the RP application
User attribute: session field that with be used as main identifier (sub)
ID Token signature algorithm: Select one of none, HS256, HS384, HS512, RS256, RS384, RS512
ID Token expiration: Expiration time of ID Tokens
Access token expiration: Expiration time of Access Tokens
Redirection addresses: Space separated list of redirect addresses allowed for this RP
Extra claims: Associate attributes to extra claims if the RP request them, for example birth ⇒ birthplace birthcountry