446 lines
22 KiB
HTML
446 lines
22 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:authopenidconnect</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,authopenidconnect"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="authopenidconnect.html"/>
|
|
<link rel="contents" href="authopenidconnect.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authopenidconnect","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#openid_connect_service">OpenID Connect Service</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#authentication_and_userdb">Authentication and UserDB</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#metadata">Metadata</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#jwks_data">JWKS data</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#exported_attributes">Exported attributes</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
|
|
</ul></li>
|
|
</ul></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="openid_connect">OpenID Connect</h1>
|
|
<div class="level1">
|
|
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2"> </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT2 TABLE [31-94] -->
|
|
</div>
|
|
<!-- EDIT1 SECTION "OpenID Connect" [1-95] -->
|
|
<h2 class="sectionedit3" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
<div class="noteclassic">OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE stacks. It is described here: <a href="http://openid.net/connect/" class="urlextern" title="http://openid.net/connect/" rel="nofollow">http://openid.net/connect/</a>.
|
|
</div>
|
|
<p>
|
|
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID Connect Relying Party (RP) towards multiple OpenID Connect Providers (OP). It will get the user identity trough an ID Token, and grab user attributes trough UserInfo endpoint.
|
|
</p>
|
|
|
|
<p>
|
|
As an RP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Connect features:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Authorization Code flow</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Automatic download of JWKS</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> JWT signature verification</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Access Token Hash verification</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> ID Token validation</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Get UserInfo as JSON or as JWT</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Logout on EndSession end point</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
You can use this authentication module to link your <abbr title="LemonLDAP::NG">LL::NG</abbr> server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:
|
|
</p>
|
|
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Google </th><th class="col1 centeralign"> France Connect </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 centeralign"> <a href="authopenidconnect_google.html" class="media" title="documentation:2.0:authopenidconnect_google"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="authopenidconnect_franceconnect.html" class="media" title="documentation:2.0:authopenidconnect_franceconnect"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT4 TABLE [905-1106] --><div class="noteimportant">OpenID-Connect specification isn't finished for logout propagation. So logout initiated by relaying-party will be forward to OpenID-Connect provider but logout initiated by the provider (or another RP) will not be propagated. LLNG will implement this when <abbr title="specification">spec</abbr> will be published.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT3 SECTION "Presentation" [96-1410] -->
|
|
<h2 class="sectionedit5" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "Configuration" [1411-1437] -->
|
|
<h3 class="sectionedit6" id="openid_connect_service">OpenID Connect Service</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
See <a href="openidconnectservice.html" class="wikilink1" title="documentation:2.0:openidconnectservice">OpenIDConnect service</a> configuration chapter.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "OpenID Connect Service" [1438-1546] -->
|
|
<h3 class="sectionedit7" id="authentication_and_userdb">Authentication and UserDB</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
In <code>General Parameters</code> > <code>Authentication modules</code>, set:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Authentication module</strong>: OpenID Connect</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Users module</strong>: OpenID Connect</div>
|
|
</li>
|
|
</ul>
|
|
<div class="notetip">As passwords will not be managed by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you can disable <a href="portalmenu.html#menu_modules" class="wikilink1" title="documentation:2.0:portalmenu">menu password module</a>.
|
|
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome does).
|
|
Administrators may have to modify formAction value with wildcard likes *.
|
|
<p>
|
|
In Manager, go in :
|
|
</p>
|
|
|
|
<p>
|
|
<code>General Parameters</code> > <code>Advanced Parameters</code> > <code>Security</code> > <code>Content Security Policy</code> > <code>Form destination</code>
|
|
</p>
|
|
|
|
</div>
|
|
<p>
|
|
Then in <code>General Parameters</code> > <code>Authentication modules</code> > <code>OpenID Connect parameters</code>, you can set:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Authentication level</strong>: level of authentication to associate to this module</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Callback GET parameter</strong>: name of GET parameter used to intercept callback (default: openidconnectcallback)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>State session timeout</strong>: duration of a state session (used to keep state information between authentication request and authentication response) in seconds (default: 600)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "Authentication and UserDB" [1547-2707] -->
|
|
<h3 class="sectionedit8" id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
To register <abbr title="LemonLDAP::NG">LL::NG</abbr>, you will need to give some information like application name or logo. One of mandatory information is the redirect <abbr title="Uniform Resource Locator">URL</abbr> (one or many).
|
|
</p>
|
|
|
|
<p>
|
|
To know this information, just take the portal <abbr title="Uniform Resource Locator">URL</abbr> and the Callback GET parameter, for example:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <a href="http://auth.example.com/?openidcallback=1" class="urlextern" title="http://auth.example.com/?openidcallback=1" rel="nofollow">http://auth.example.com/?openidcallback=1</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="http://auth.example.com/index.pl?openidcallback=1" class="urlextern" title="http://auth.example.com/index.pl?openidcallback=1" rel="nofollow">http://auth.example.com/index.pl?openidcallback=1</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="http://auth.example.com/?lmAuth=oidc&openidcallback=1" class="urlextern" title="http://auth.example.com/?lmAuth=oidc&openidcallback=1" rel="nofollow">http://auth.example.com/?lmAuth=oidc&openidcallback=1</a></div>
|
|
</li>
|
|
</ul>
|
|
<div class="noteimportant">If you use the <a href="authchoice.html" class="wikilink1" title="documentation:2.0:authchoice">choice backend</a>, you need to add the choice parameter in redirect <abbr title="Uniform Resource Locator">URL</abbr>
|
|
</div>
|
|
<p>
|
|
After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT8 SECTION "Register LL::NG to an OpenID Connect Provider" [2708-3422] -->
|
|
<h3 class="sectionedit9" id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like "sample-op";
|
|
</p>
|
|
|
|
<p>
|
|
You can then access to the configuration of this OP.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="metadata">Metadata</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
The OP should publish its metadata in a JSON file (see for example <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration" rel="nofollow">Google metadata</a>). Copy the content of this file in the textarea.
|
|
</p>
|
|
|
|
<p>
|
|
If no metadata is available, you need to write them in the textarea. Mandatory fields are:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> issuer</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> authorization_endpoint</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> token_endpoint</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> userinfo_endpoint</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
You can also define:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> jwks_uri</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> endsession_endpoint</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Example template:
|
|
</p>
|
|
<pre class="code file javascript"><span class="br0">{</span>
|
|
<span class="st0">"issuer"</span><span class="sy0">:</span> <span class="st0">"https://auth.example.com/"</span><span class="sy0">,</span>
|
|
<span class="st0">"authorization_endpoint"</span><span class="sy0">:</span> <span class="st0">"https://auth.example.com/oauth2/authorize"</span><span class="sy0">,</span>
|
|
<span class="st0">"token_endpoint"</span><span class="sy0">:</span> <span class="st0">"https://auth.example.com/oauth2/token"</span><span class="sy0">,</span>
|
|
<span class="st0">"userinfo_endpoint"</span><span class="sy0">:</span> <span class="st0">"https://auth.example.com/oauth2/userinfo"</span><span class="sy0">,</span>
|
|
<span class="st0">"end_session_endpoint"</span><span class="sy0">:</span><span class="st0">"https://auth.example.com/oauth2/logout"</span>
|
|
<span class="br0">}</span></pre>
|
|
|
|
</div>
|
|
|
|
<h4 id="jwks_data">JWKS data</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
JWKS is a JSON file containing public keys. <abbr title="LemonLDAP::NG">LL::NG</abbr> can grab them automatically if jwks_uri is defined in metadata. Else you can paste the content of the JSON file in the textarea.
|
|
</p>
|
|
<div class="notetip">If the OpenID Connect provider only uses symmetric encryption, JWKS data is not useful.
|
|
</div>
|
|
</div>
|
|
|
|
<h4 id="exported_attributes">Exported attributes</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Define here the mapping between the <abbr title="LemonLDAP::NG">LL::NG</abbr> session content and the fields provided in UserInfo response. The fields are defined in <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">OpenID Connect standard</a>, and depends on the scope requested by <abbr title="LemonLDAP::NG">LL::NG</abbr> (see options in next chapter).
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT10 PLUGIN_INCLUDE_START_NOREDIRECT "documentation:2.0:openidconnectclaims" [0-] --><div class="plugin_include_content plugin_include__documentation:2.0:openidconnectclaims" id="plugin_include__documentation__2.0__openidconnectclaims">
|
|
<div class="level1">
|
|
<div class="table sectionedit12"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0"> Claim name </th><th class="col1"> Associated scope </th><th class="col2"> Type </th><th class="col3"> Example of corresponding LDAP attribute </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0"> sub </td><td class="col1"> openid </td><td class="col2"> string </td><td class="col3"> uid </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> name </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> cn </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0"> given_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> givenName </td>
|
|
</tr>
|
|
<tr class="row4 roweven">
|
|
<td class="col0"> family_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> sn </td>
|
|
</tr>
|
|
<tr class="row5 rowodd">
|
|
<td class="col0"> middle_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row6 roweven">
|
|
<td class="col0"> nickname </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row7 rowodd">
|
|
<td class="col0"> preferred_username </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> displayName </td>
|
|
</tr>
|
|
<tr class="row8 roweven">
|
|
<td class="col0"> profile </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> labeledURI </td>
|
|
</tr>
|
|
<tr class="row9 rowodd">
|
|
<td class="col0"> picture </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row10 roweven">
|
|
<td class="col0"> website </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row11 rowodd">
|
|
<td class="col0"> email </td><td class="col1"> email </td><td class="col2">string </td><td class="col3"> mail </td>
|
|
</tr>
|
|
<tr class="row12 roweven">
|
|
<td class="col0"> email_verified </td><td class="col1"> email </td><td class="col2">boolean </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row13 rowodd">
|
|
<td class="col0"> gender </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row14 roweven">
|
|
<td class="col0"> birthdate </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row15 rowodd">
|
|
<td class="col0"> zoneinfo </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row16 roweven">
|
|
<td class="col0"> locale </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> preferredLanguage </td>
|
|
</tr>
|
|
<tr class="row17 rowodd">
|
|
<td class="col0"> phone_number </td><td class="col1"> phone </td><td class="col2">string </td><td class="col3"> telephoneNumber </td>
|
|
</tr>
|
|
<tr class="row18 roweven">
|
|
<td class="col0"> phone_number_verified </td><td class="col1"> phone </td><td class="col2">boolean </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row19 rowodd">
|
|
<td class="col0"> updated_at </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
|
|
</tr>
|
|
<tr class="row20 roweven">
|
|
<td class="col0"> formatted </td><td class="col1"> address </td><td class="col2">string </td><td class="col3"> registeredAddress </td>
|
|
</tr>
|
|
<tr class="row21 rowodd">
|
|
<td class="col0"> street_address </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> street </td>
|
|
</tr>
|
|
<tr class="row22 roweven">
|
|
<td class="col0"> locality </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> l </td>
|
|
</tr>
|
|
<tr class="row23 rowodd">
|
|
<td class="col0"> region </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> st </td>
|
|
</tr>
|
|
<tr class="row24 roweven">
|
|
<td class="col0"> postal_code </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> postalCode </td>
|
|
</tr>
|
|
<tr class="row25 rowodd">
|
|
<td class="col0"> country </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> co </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT12 TABLE [38-1104] -->
|
|
</div>
|
|
<!-- EDIT11 PLUGIN_INCLUDE_END "documentation:2.0:openidconnectclaims" [0-] --></div>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
So you can define for example:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> cn => name</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> sn => family_name</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> mail => email</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> uid => sub</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
|
|
<h4 id="options">Options</h4>
|
|
<div class="level4">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Configuration</strong>:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> <strong>Configuration endpoint</strong>: <abbr title="Uniform Resource Locator">URL</abbr> of OP configuration endpoint</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>JWKS data timeout</strong>: After this time, <abbr title="LemonLDAP::NG">LL::NG</abbr> will do a request to get a fresh version of JWKS data. Set to 0 to disable it.</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Client ID</strong>: Client ID given by OP</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Client secret</strong>: Client secret given by OP</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Store ID token</strong>: Allows one to store the ID token (JWT) inside user session. Don't enable it unless you need to replay this token on an application, or if you need the id_token_hint parameter when using logout.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Protocol</strong>:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> <strong>Scope</strong>: Value of scope parameter (example: openid profile). The <code>openid</code> scope is mandatory.</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Display</strong>: Value of display parameter (example: page)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Prompt</strong>: Value of prompt parameter (example: consent)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Max age</strong>: Value of max_age parameter (example: 3600)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>UI locales</strong>: Value of ui_locales parameter (example: en-<abbr title="Gigabyte">GB</abbr> en fr-FR fr)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>ACR values</strong>: Value acr_values parameters (example: loa-1)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Token endpoint authentication method</strong>: Choice between <code>client_secret_post</code> and <code>client_secret_basic</code></div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Check JWT signature</strong>: Set to 0 to disable JWT signature checking</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>ID Token max age</strong>: If defined, <abbr title="LemonLDAP::NG">LL::NG</abbr> will check the date of ID token and refuse it if it is too old</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Use Nonce</strong>: If enabled, a nonce will be sent, and verified from the ID Token</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Display</strong>:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> <strong>Display name</strong>: Name of the application</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Logo</strong>: Logo of the application</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <strong>Order</strong>: Number to sort buttons</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT9 SECTION "Declare the OpenID Connect Provider in LL::NG" [3423-] --></div>
|
|
</body>
|
|
</html>
|