@@ -10,8 +10,7 @@ I'll use just RP in the rest of the document but everywhere you see RP you
1010can also think Client (in the OAuth2 sense).
1111
1212The configuration parameters fall into 2 groups, one with basic information
13- that comes with being a web services and is independent of which type of
14- clien you want and who it is going to talk to.
13+ that are independent of which OpenID Provider (OP) that RP
1514
1615General configuration parameters
1716--------------------------------
@@ -44,110 +43,39 @@ httpc_params
4443 Something that happens if you run in an environment where mutual TLS is
4544 expected.
4645
47- webserver
48- Web service specific information.
46+ key_conf
47+ Definition of the private keys that all RPs are going to use in the OIDC
48+ protocol exchange.
4949
50- There might be other parameters that you need, depending on which web framework
50+ There might be other parameters that you need dependent on which web framework
5151you chose to use.
5252
5353OP/AS specific configuration parameters
5454---------------------------------------
5555
56- The first thing you have to decide on is what kind of services the RP will use.
57- The possible set is:
58-
59- webfinger
60- Using the webfinger protocol as described in section 2 of
61- `openid discovery `_ . The original ide was that users would enter
62- a user identifier (which may look like an email address). The system
63- would then use that identifier and the webfinger protocol to figure out
64- which OP it should use to authenticate the user. In reality this didn't
65- fly. You may exist in an environment where this might work but I wouldn't bet
66- on it.
67-
68- discovery
69- Described in `openid discovery `_ . This is about discovering what an
70- OP/AS can do.
71-
72- registration
73- Described in `client registration `_ . Dynamic client registration. Not
74- normally allowed by the big providers.
75-
76- accesstoken
77- Described in `OIDC code `_ . How a client can exchange a authorization code
78- for an access token.
79-
80- refresh_token
81- Described in `OIDC code `_ . How a client can use a refresh token to get a
82- new access token.
83-
84- userinfo
85- Described in `OIDC code `_ . How a client can use an access token to get
86- up-to-date information about a user.
87-
88- end_session
89- Described in `Session management `_ , `Front channel logout `_ and
90- `Back channel logout `_ . How a user can log out of sessions created at
91- one or more OPs
92-
93- The default services if you have an OAuth2 client are::
94-
95- "discovery": {
96- "class": "idpyoidc.client.oauth2.provider_info_discovery.ProviderInfoDiscovery"},
97- "authorization": {
98- "class": "idpyoidc.client.oauth2.authorization.Authorization"},
99- "access_token": {
100- "class": "idpyoidc.client.oauth2.access_token.AccessToken"},
101- "refresh_access_token": {
102- "class": "idpyoidc.client.oauth2.refresh_access_token.RefreshAccessToken"}
103-
104- If you run an OIDC RP it's ::
105-
106- "discovery": {
107- "class": "idpyoidc.client.oidc.provider_info_discovery.ProviderInfoDiscovery"},
108- "registration": {
109- "class": "idpyoidc.client.oidc.registration.Registration"},
110- "authorization": {
111- "class": "idpyoidc.client.oidc.authorization.Authorization"},
112- "accesstoken": {
113- "class": "idpyoidc.client.oidc.access_token.AccessToken"},
114- "refresh_token": {
115- "class": "idpyoidc.client.oidc.refresh_access_token.RefreshAccessToken"},
116- "userinfo": {
117- "class": "idpyoidc.client.oidc.userinfo.UserInfo"},
118-
119- Which services you can have are of course completely dependent on the OP/AS
120- your client will talk to.
121- Most of the big identity services support dynamic discovery but there the
122- similarities end. Among the Certified OpenID Providers, Google for instance supports:
123-
124- - discovery
125- - authorization
126- - accesstoken
127- - refresh_token
128- - userinfo
129-
130- Microsoft only:
131-
132- - discovery
133- - authorization
134-
135- Other identity provider like LinkedIn, Github, Facebook and such do not
136- support OIDC at all but rather some OAuth2/OIDC bastard. Still if you want to use
137- this software package to access non-OIDC identity provider it can be done.
138-
139- .. _OIDC code : https://openid.net/specs/openid-connect-core-1_0.html
140- .. _openid discovery : https://openid.net/specs/openid-connect-discovery-1_0.html
141- .. _client registration : https://openid.net/specs/openid-connect-registration-1_0.html
142- .. _Session management : https://openid.net/specs/openid-connect-session-1_0.html
143- .. _Front channel logout : https://openid.net/specs/openid-connect-frontchannel-1_0.html
144- .. _Back channel logout : https://openid.net/specs/openid-connect-backchannel-1_0.html
56+ The client configuration is keyed to an OP/AS name. This name should
57+ be something human readable it does not have to in anyway be linked to the
58+ issuer ID of the OP/AS.
59+
60+ The key **"" ** (the empty string) is chosen to represent all OP/ASs that
61+ are dynamically discovered.
62+
63+ Disregarding if doing everything dynamically or statically you **MAY **
64+ define which services the RP/Client should be able to use.
65+ If you don't the default set it used.
66+ The default set consists of the discovery, authorization, access_token and
67+ refresh_access_token services if we're talking OAuth2 and the discovery,
68+ registration, authorization, access_token, refresh_access_token and
69+ userinfo services if we are talking OIDC.
70+
71+ services
72+ A specification of the usable services which possible changes to the
73+ default configuration of those service.
14574
14675Static configuration
14776....................
14877
149- If you have done manual client registration with the OP administrator,
150- you will have to fill in these:
78+ If you have done manual client registration you will have to fill in these:
15179
15280client_id
15381 The client identifier.
@@ -166,56 +94,31 @@ behaviour
16694 a set of attributes with values. The attributes taken from the
16795 `client metadata `_ specification. *behaviour * is used when the client
16896 has been registered statically and it is know what the client wants to
169- use and what the OP supports.
97+ use and the OP supports.
17098
171- Example ::
99+ Usage example ::
172100
173101 "behaviour": {
174102 "response_types": ["code"],
175103 "scope": ["openid", "profile", "email"],
176- "token_endpoint_auth_method": "client_secret_basic"
104+ "token_endpoint_auth_method": ["client_secret_basic",
105+ 'client_secret_post']
177106 }
178107
179108
180109
181110Dynamic Configuration
182111.....................
183112
184- If the client is expected to do dynamic registration and
185- provider info discovery is also done dynamically you need these:
186-
187- metadata
188- Information about how the RP should behave towards the OP/AS. This is
189- a set of attributes with values. The attributes taken from the
190- `client metadata `_ specification. There might be extra attributes dependent
191- on which OIDC/OAuth2 extensions that are used.
192- This is exactly what you want the client to use when registering with the
193- OP/AS.
113+ If the provider info discovery is done dynamically you need these
194114
195- Example::
196-
197- "metadata": {
198- "application_type": "web",
199- "contacts": ["ops@example.com"],
200- "response_types": ["code"],
201- "redirect_uris": ["https://{domain}:{port}/cb"]
202- }
203-
204- usage
205- In some case you want to be have options on which values to register.
206- If so, the dependency is on the OP/AS since at the
115+ client_preferences
116+ How the RP should prefer to behave against the OP/AS. The content are the
117+ same as for *behaviour *. The difference is that this is specified if the
118+ RP is expected to do dynamic client registration which means that at the
207119 point of writing the configuration it is only known what the RP can and
208120 wants to do but unknown what the OP supports.
209121
210- Example::
211-
212- "usage": {
213- "scope": ["openid","profile","email","address","phone"],
214- "token_endpoint_auth_methods": ["client_secret_basic",
215- "client_secret_post"],
216- "jwks": true
217- }
218-
219122issuer
220123 The Issuer ID of the OP.
221124
0 commit comments