File: openidconnectservice.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,024 kB
  • sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (229 lines) | stat: -rw-r--r-- 10,379 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
 
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:openidconnectservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,openidconnectservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="openidconnectservice.html"/>
<link rel="contents" href="openidconnectservice.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:openidconnectservice","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#rewrite_rules">Rewrite rules</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level2"><div class="li"><a href="#nginx">Nginx</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#service_configuration">Service configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#issuer_identifier">Issuer identifier</a></div></li>
<li class="level2"><div class="li"><a href="#end_points">End points</a></div></li>
<li class="level2"><div class="li"><a href="#authentication_context">Authentication context</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
<li class="level2"><div class="li"><a href="#sessions">Sessions</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#key_rotation_script">Key rotation script</a></div></li>
<li class="level1"><div class="li"><a href="#session_management">Session management</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="openid_connect_service_configuration">OpenID Connect service configuration</h1>
<div class="level1">

</div>
<!-- EDIT1 SECTION "OpenID Connect service configuration" [1-52] -->
<h2 class="sectionedit2" id="rewrite_rules">Rewrite rules</h2>
<div class="level2">

</div>
<!-- EDIT2 SECTION "Rewrite rules" [53-79] -->
<h3 class="sectionedit3" id="apache">Apache</h3>
<div class="level3">

<p>
Be sure that mod_rewrite is installed and that OpenID Connect rewrite rules are activated in <a href="configlocation.html#portal" class="wikilink1" title="documentation:1.9:configlocation">Apache portal configuration</a>:
</p>
<pre class="code file apache">    <span class="co1"># OpenID Connect Issuer</span>
    &lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
        <span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
        <span class="co1">#RewriteCond %{HTTP:Authorization} .</span>
        <span class="co1">#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]</span>
        <span class="kw1">RewriteRule</span> ^/oauth2/.* /index.pl
        <span class="kw1">RewriteRule</span> ^/.well-known/openid-configuration$ /openid-configuration.pl
    &lt;/<span class="kw3">IfModule</span>&gt;</pre>
<div class="notetip">You need to uncomment rewrite rule on Authorization header if you only have CGI enabled in your Apache server.
</div>
</div>
<!-- EDIT3 SECTION "Apache" [80-735] -->
<h3 class="sectionedit4" id="nginx">Nginx</h3>
<div class="level3">

<p>
Be sure that OpenID Connect rewrite rules are activated <a href="configlocation.html#portal1" class="wikilink1" title="documentation:1.9:configlocation">Nginx portal configuration</a>:
</p>
<pre class="code file nginx">  # OpenID Connect Issuer
  rewrite ^/oauth2/.* /index.pl last;
  rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;</pre>

</div>
<!-- EDIT4 SECTION "Nginx" [736-1025] -->
<h2 class="sectionedit5" id="service_configuration">Service configuration</h2>
<div class="level2">

<p>
Go in Manager and click on <code>OpenID Connect Service</code> node.
</p>

</div>
<!-- EDIT5 SECTION "Service configuration" [1026-1121] -->
<h3 class="sectionedit6" id="issuer_identifier">Issuer identifier</h3>
<div class="level3">

<p>
Set the issuer identifier, which should be the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</p>

<p>
For example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com"  rel="nofollow">http://auth.example.com</a>
</p>

</div>
<!-- EDIT6 SECTION "Issuer identifier" [1122-1248] -->
<h3 class="sectionedit7" id="end_points">End points</h3>
<div class="level3">

<p>
Name of different OpenID Connect endpoints. You can keep the default values unless you have a specific need to change them.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authorization</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Token</strong></div>
</li>
<li class="level1"><div class="li"> <strong>User Info</strong></div>
</li>
<li class="level1"><div class="li"> <strong>JWKS</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Registration</strong></div>
</li>
<li class="level1"><div class="li"> <strong>End of session</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Check Session</strong></div>
</li>
</ul>
<div class="notetip">The end points are published inside JSON metadata.
</div>
</div>
<!-- EDIT7 SECTION "End points" [1249-1598] -->
<h3 class="sectionedit8" id="authentication_context">Authentication context</h3>
<div class="level3">

<p>
You can associate here an authentication context to an authentication level.
</p>

</div>
<!-- EDIT8 SECTION "Authentication context" [1599-1710] -->
<h3 class="sectionedit9" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Keys</strong> : define public/private key pair to do asymmetric signature</div>
</li>
<li class="level1"><div class="li"> <strong>Signing Key ID</strong>: ID of signing key</div>
</li>
<li class="level1"><div class="li"> <strong>Dynamic Registration</strong>: Set to 1 to allow clients to register themselves. This may be a security risk as this will create a new configuration in the backend per registration request. You can limit this by protecting in the WebServer the registration end point with an authentication module, and give the credentials to clients.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code flow</strong>: Set to 1 to allow Authorization Code flow</div>
</li>
<li class="level1"><div class="li"> <strong>Implicit flow</strong>: Set to 1 to allow Implicit flow</div>
</li>
<li class="level1"><div class="li"> <strong>Hybrid flow</strong>: Set to 1 to allow Hybrid flow</div>
</li>
</ul>

</div>
<!-- EDIT9 SECTION "Security" [1711-2361] -->
<h3 class="sectionedit10" id="sessions">Sessions</h3>
<div class="level3">

<p>
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
</p>

</div>
<!-- EDIT10 SECTION "Sessions" [2362-2516] -->
<h2 class="sectionedit11" id="key_rotation_script">Key rotation script</h2>
<div class="level2">

<p>
OpenID Connect specification let the possibility to rotate keys to improve security. <abbr title="LemonLDAP::NG">LL::NG</abbr> provide a script to do this, that should be put in a cronjob.
</p>

<p>
The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be run for example each week:
</p>
<pre class="file">5 5 * * 6 www-data /usr/share/lemonldap-ng/bin/rotateOidcKeys</pre>
<div class="notetip">Set the correct Apache user, else generated configuration will not be readable by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT11 SECTION "Key rotation script" [2517-2990] -->
<h2 class="sectionedit12" id="session_management">Session management</h2>
<div class="level2">

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> implements the change notification as defined here: <a href="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification" class="urlextern" title="http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification"  rel="nofollow">http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a>
</p>

<p>
A <code>changed</code> state will be sent if the user is disconnected from <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (or has destroyed its <abbr title="Single Sign On">SSO</abbr> cookie). Else the <code>unchanged</code> state will be returned.
</p>
<div class="notetip">To work, the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).
</div>
</div>
<!-- EDIT12 SECTION "Session management" [2991-] --></div>
</body>
</html>