dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a38386f0cd
lemonldap-ng/doc/pages/documentation/current/openidconnectservice.html
Clément Oudot a38386f0cd New doc
2016-10-15 17:57:04 +00:00

204 lines
8.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:openidconnectservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,openidconnectservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="openidconnectservice.html"/>
<link rel="contents" href="openidconnectservice.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:openidconnectservice","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#rewrite_rules">Rewrite rules</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level2"><div class="li"><a href="#nginx">Nginx</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#service_configuration">Service configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#issuer_identifier">Issuer identifier</a></div></li>
<li class="level2"><div class="li"><a href="#end_points">End points</a></div></li>
<li class="level2"><div class="li"><a href="#authentication_context">Authentication context</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
<li class="level2"><div class="li"><a href="#sessions">Sessions</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#key_rotation_script">Key rotation script</a></div></li>
<li class="level1"><div class="li"><a href="#session_management">Session management</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="openid_connect_service_configuration">OpenID Connect service configuration</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "OpenID Connect service configuration" [1-52] -->
<h2 class="sectionedit2" id="rewrite_rules">Rewrite rules</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Rewrite rules" [53-79] -->
<h3 class="sectionedit3" id="apache">Apache</h3>
<div class="level3">
<p>
Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in <a href="configlocation.html#portal" class="wikilink1" title="documentation:2.0:configlocation">Apache portal configuration</a>:
</p>
<pre class="code file apache"> <span class="co1"># OpenID Connect Issuer</span>
&lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
<span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
<span class="co1">#RewriteCond %{HTTP:Authorization} .</span>
<span class="co1">#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]</span>
<span class="kw1">RewriteRule</span> ^/oauth2/.* /index.pl
<span class="kw1">RewriteRule</span> ^/.well-known/openid-configuration$ /openid-configuration.pl
&lt;/<span class="kw3">IfModule</span>&gt;</pre>
<div class="notetip">You need to uncomment rewrite rule on Authorization header if you only have CGI enabled in your Apache server.
</div>
</div>
<!-- EDIT3 SECTION "Apache" [80-735] -->
<h3 class="sectionedit4" id="nginx">Nginx</h3>
<div class="level3">
<p>
Be sure that OpenID Connect rewrite rules are activated <a href="configlocation.html#portal1" class="wikilink1" title="documentation:2.0:configlocation">Nginx portal configuration</a>:
</p>
<pre class="code file nginx"> # OpenID Connect Issuer
rewrite ^/oauth2/.* /index.pl last;
rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;</pre>
</div>
<!-- EDIT4 SECTION "Nginx" [736-1025] -->
<h2 class="sectionedit5" id="service_configuration">Service configuration</h2>
<div class="level2">
<p>
Go in Manager and click on <code>OpenID Connect Service</code> node.
</p>
</div>
<!-- EDIT5 SECTION "Service configuration" [1026-1121] -->
<h3 class="sectionedit6" id="issuer_identifier">Issuer identifier</h3>
<div class="level3">
<p>
Set the issuer identifier, which should be the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
<p>
For example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a>
</p>
</div>
<!-- EDIT6 SECTION "Issuer identifier" [1122-1248] -->
<h3 class="sectionedit7" id="end_points">End points</h3>
<div class="level3">
<p>
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authorization</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Token</strong></div>
</li>
<li class="level1"><div class="li"> <strong>User Info</strong></div>
</li>
<li class="level1"><div class="li"> <strong>JWKS</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Registration</strong></div>
</li>
<li class="level1"><div class="li"> <strong>End of session</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Check Session</strong></div>
</li>
</ul>
<div class="notetip">The end points are published inside JSON metadata.
</div>
</div>
<!-- EDIT7 SECTION "End points" [1249-1598] -->
<h3 class="sectionedit8" id="authentication_context">Authentication context</h3>
<div class="level3">
<p>
You can associate here an authentication context to an authentication level.
</p>
</div>
<!-- EDIT8 SECTION "Authentication context" [1599-1710] -->
<h3 class="sectionedit9" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Keys</strong> : define public/private key pair to do asymmetric signature</div>
</li>
<li class="level1"><div class="li"> <strong>Signing Key ID</strong>: ID of signing key</div>
</li>
<li class="level1"><div class="li"> <strong>Dynamic Registration</strong>: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code flow</strong>: Set to 1 to allow Authorization Code flow</div>
</li>
<li class="level1"><div class="li"> <strong>Implicit flow</strong>: Set to 1 to allow Implicit flow</div>
</li>
<li class="level1"><div class="li"> <strong>Hybrid flow</strong>: Set to 1 to allow Hybrid flow</div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Security" [1711-2361] -->
<h3 class="sectionedit10" id="sessions">Sessions</h3>
<div class="level3">
<p>
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
</p>
</div>
<!-- EDIT10 SECTION "Sessions" [2362-2516] -->
<h2 class="sectionedit11" id="key_rotation_script">Key rotation script</h2>
<div class="level2">
<p>
OpenID Connect specification let the possibility to rotate keys to improve security. <abbr title="LemonLDAP::NG">LL::NG</abbr> provide a script to do this, that should be put in a cronjob.
</p>
<p>
The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be run for example each week:
</p>
<pre class="file">5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys</pre>
<div class="notetip">Set the correct Apache user, else generated configuration will not be readable by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT11 SECTION "Key rotation script" [2517-2990] -->
<h2 class="sectionedit12" id="session_management">Session management</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> implements the change notification as defined here: <a href="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" class="urlextern" title="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" rel="nofollow">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a>
</p>
<p>
A <code>changed</code> state will be sent if the user is disconnected from <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (or has destroyed its <abbr title="Single Sign On">SSO</abbr> cookie). Else the <code>unchanged</code> state will be returned.
</p>
<div class="notetip">To work, the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).
</div>
</div>
<!-- EDIT12 SECTION "Session management" [2991-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink