Documentation for Open ID Connect feature¶ ↑
The oidc
feature implements the functionality required from an OpenID Connect identity provider.
openid.net/specs/openid-connect-core-1_0.html
This feature depends on the rodauth account_expiration feature, as well as the oauth_jwt, oauth_jwt_jwks, oauth_authorization_code_grant and oauth_implicit_grant features.
Value Methods¶ ↑
oauth_jwt_subject_type |
JWT subject claim type, |
oauth_jwt_subject_secret |
hashing secret to use when subject claim type is “pairwise”, |
oauth_application_scopes |
overwrites the default to |
oauth_grants_nonce_column |
db column where an authorization nonce is stored, |
oauth_grants_acr_column |
db column where an authorization acr values are stored, |
oauth_grants_claims_locales_column |
db column where an authorization claims locales are stored, |
oauth_grants_claims_column |
db column where an authorization claims are stored, |
oauth_applications_application_type_column |
db colummn where the application type is stored. |
oauth_applications_sector_identifier_uri_column |
db colummn where the sector identifier uri is stored. |
oauth_applications_initiate_login_uri_column |
db colummn where the initiate login uri is stored. |
oauth_applications_subject_type_column |
db column where to store the type of subject claim used for the oauth application, |
oauth_applications_id_token_encrypted_response_alg_column |
db column where to store the encryption algorithm used for the id token for the oauth application, |
oauth_applications_id_token_encrypted_response_enc_column |
db column where to store the encryption method used for the id token for the oauth application, |
oauth_applications_id_token_signed_response_alg_column |
db column where to store the signing algorithm used for the id token for the oauth application, |
oauth_applications_userinfo_encrypted_response_alg_column |
db column where to store the encryption algorithm used for the userinfo response payload for the oauth application, |
oauth_applications_userinfo_encrypted_response_enc_column |
db column where to store the encryption method used for the userinfo response payload for the oauth application, |
oauth_applications_userinfo_signed_response_alg_column |
db column where to store the signing algorithm used for the userinfo response payload for the oauth application, |
oauth_invalid_scope_message |
overwrites the default to |
userinfo_route |
the route for the userinfo action, defaults to |
userinfo_signing_alg_values_supported |
Supported JWS algorithms for signing userinfo response (when JWT-serialized). |
userinfo_encryption_alg_values_supported |
Supported |
userinfo_encryption_enc_values_supported |
Supported |
request_object_signing_alg_values_supported |
Supported JWS algorithms for signing request objects sent to the provider. |
request_object_encryption_alg_values_supported |
Supported |
request_object_encryption_enc_values_supported |
Supported |
oauth_acr_values_supported |
list of ACR values supported by the provider |
oauth_prompt_login_cookie_key |
try prompt cookie key. |
oauth_prompt_login_cookie_options |
prompt cookie options. |
oauth_prompt_login_interval |
prompt cookie lifetime (5 minutes by default); can be set to |
Auth methods¶ ↑
fill_with_account_claims |
adds normals claims (“name”, “given_name”…); can be overriden to add aggregated and distributed claims. |
get_oidc_param |
returns the value for an OpenID connect claim (such as “email”, “name”, “phone_number”, etc…) |
get_additional_param |
sets the values for additional scopes. |
get_oidc_account_last_login_at |
returns the timestamp for an account’s last login (used to get the ‘“auth_time”` OIDC claim) |
oidc_authorize_on_prompt_none? |
whether to allow authorization when “prompt=none”, |
require_acr_value_phr |
called before authorization request if “phr” in acr values, will request 2-factor authentication if any such ‘rodauth` feature is loaded. |
require_acr_value_phrh |
called before authorization request if “phrh” in acr values, will request webauthn authentication if ‘webauthn` feature from rodauth is loaded. |
require_acr_value |
called before authorization request with each acr value, does nothing by default. |
json_webfinger_payload |
returns the JSON payload from the webfinger response. |
before_userinfo_route |
Run arbitrary code before the userinfo route. |