oidc.rdoc

doc/oidc.rdoc
Last Update: 2024-10-27 06:27:40 +0000

Documentation for Open ID Connect feature

The oidc feature implements the functionality required from an OpenID Connect identity provider.

openid.net/specs/openid-connect-core-1_0.html

This feature depends on the rodauth account_expiration feature, as well as the oauth_jwt, oauth_jwt_jwks, oauth_authorization_code_grant and oauth_implicit_grant features.

Value Methods

oauth_jwt_subject_type

JWT subject claim type, "public" by default.

oauth_jwt_subject_secret

hashing secret to use when subject claim type is “pairwise”, nil by default.

oauth_application_scopes

overwrites the default to ["openid"].

oauth_grants_nonce_column

db column where an authorization nonce is stored, :nonce by default.

oauth_grants_acr_column

db column where an authorization acr values are stored, :acr by default.

oauth_grants_claims_locales_column

db column where an authorization claims locales are stored, :claims_locales by default.

oauth_grants_claims_column

db column where an authorization claims are stored, :claims by default.

oauth_applications_application_type_column

db colummn where the application type is stored.

oauth_applications_sector_identifier_uri_column

db colummn where the sector identifier uri is stored.

oauth_applications_initiate_login_uri_column

db colummn where the initiate login uri is stored.

oauth_applications_subject_type_column

db column where to store the type of subject claim used for the oauth application, :subject_type by default.

oauth_applications_id_token_encrypted_response_alg_column

db column where to store the encryption algorithm used for the id token for the oauth application, :id_token_encrypted_response_alg by default.

oauth_applications_id_token_encrypted_response_enc_column

db column where to store the encryption method used for the id token for the oauth application, :id_token_encrypted_response_enc by default.

oauth_applications_id_token_signed_response_alg_column

db column where to store the signing algorithm used for the id token for the oauth application, :id_token_signed_response_alg by default.

oauth_applications_userinfo_encrypted_response_alg_column

db column where to store the encryption algorithm used for the userinfo response payload for the oauth application, :userinfo_encrypted_response_alg by default.

oauth_applications_userinfo_encrypted_response_enc_column

db column where to store the encryption method used for the userinfo response payload for the oauth application, :userinfo_encrypted_response_enc by default.

oauth_applications_userinfo_signed_response_alg_column

db column where to store the signing algorithm used for the userinfo response payload for the oauth application, :userinfo_signed_response_alg by default.

oauth_invalid_scope_message

overwrites the default to "The Access Token expired"

userinfo_route

the route for the userinfo action, defaults to userinfo.

userinfo_signing_alg_values_supported

Supported JWS algorithms for signing userinfo response (when JWT-serialized).

userinfo_encryption_alg_values_supported

Supported JWE algorithms for encrypting userinfo response (when JWT-serialized).

userinfo_encryption_enc_values_supported

Supported JWE encryption methods for encrypting userinfo response (when JWT-serialized).

request_object_signing_alg_values_supported

Supported JWS algorithms for signing request objects sent to the provider.

request_object_encryption_alg_values_supported

Supported JWE algorithms for encrypting request objects sent to the provider.

request_object_encryption_enc_values_supported

Supported JWE encryption methods for encrypting request objects sent to the provider.

oauth_acr_values_supported

list of ACR values supported by the provider

oauth_prompt_login_cookie_key

try prompt cookie key.

oauth_prompt_login_cookie_options

prompt cookie options.

oauth_prompt_login_interval

prompt cookie lifetime (5 minutes by default); can be set to nil in order not to set cookie “Expires”.

Auth methods

fill_with_account_claims

adds normals claims (“name”, “given_name”…); can be overriden to add aggregated and distributed claims.

get_oidc_param

returns the value for an OpenID connect claim (such as “email”, “name”, “phone_number”, etc…)

get_additional_param

sets the values for additional scopes.

get_oidc_account_last_login_at

returns the timestamp for an account’s last login (used to get the ‘“auth_time”` OIDC claim)

oidc_authorize_on_prompt_none?

whether to allow authorization when “prompt=none”, false by default.

require_acr_value_phr

called before authorization request if “phr” in acr values, will request 2-factor authentication if any such ‘rodauth` feature is loaded.

require_acr_value_phrh

called before authorization request if “phrh” in acr values, will request webauthn authentication if ‘webauthn` feature from rodauth is loaded.

require_acr_value

called before authorization request with each acr value, does nothing by default.

json_webfinger_payload

returns the JSON payload from the webfinger response.

before_userinfo_route

Run arbitrary code before the userinfo route.