oidc.rdoc

doc/oidc.rdoc
Last Update: 2023-01-10 23:21:31 +0000

Documentation for Open ID Connect feature

The oidc feature builds on top of the oauth_jwt feature to implement an OpenID Connect identity provider.

Value Methods

oauth_acr_values_supported

list of ACR values supported by the provider

oauth_jwt_subject_type

JWT subject claim type, "public" by default.

oauth_jwt_subject_secret

hashing secret to use when subject claim type is “pairwise”, nil by default.

oauth_application_scopes

overwrites the default to ["openid"].

oauth_grants_nonce_column

db column where an authorization nonce is stored, :nonce by default.

oauth_grants_acr_column

db column where an authorization acr values are stored, :acr by default.

oauth_grants_claims_locales_column

db column where an authorization claims locales are stored, :claims_locales by default.

oauth_grants_claims_column

db column where an authorization claims are stored, :claims by default.

oauth_applications_application_type_column

db colummn where the application type is stored.

oauth_applications_sector_identifier_uri_column

db colummn where the sector identifier uri is stored.

oauth_applications_subject_type_column

db column where to store the type of subject claim used for the oauth application, :subject_type by default.

oauth_applications_id_token_encrypted_response_alg_column

db column where to store the encryption algorithm used for the id token for the oauth application, :id_token_encrypted_response_alg by default.

oauth_applications_id_token_encrypted_response_enc_column

db column where to store the encryption method used for the id token for the oauth application, :id_token_encrypted_response_enc by default.

oauth_applications_id_token_signed_response_alg_column

db column where to store the signing algorithm used for the id token for the oauth application, :id_token_signed_response_alg by default.

oauth_applications_userinfo_encrypted_response_alg_column

db column where to store the encryption algorithm used for the userinfo response payload for the oauth application, :userinfo_encrypted_response_alg by default.

oauth_applications_userinfo_encrypted_response_enc_column

db column where to store the encryption method used for the userinfo response payload for the oauth application, :userinfo_encrypted_response_enc by default.

oauth_applications_userinfo_signed_response_alg_column

db column where to store the signing algorithm used for the userinfo response payload for the oauth application, :userinfo_signed_response_alg by default.

oauth_invalid_scope_message

overwrites the default to "The Access Token expired"

userinfo_route

the route for the userinfo action, defaults to userinfo.

Auth methods

get_oidc_param

returns the value for an OpenID connect claim (such as “email”, “name”, “phone_number”, etc…)

get_additional_param

sets the values for additional scopes.

get_oidc_account_last_login_at

returns the timestamp for an account’s last login (used to get the ‘“auth_time”` OIDC claim)

oidc_authorize_on_prompt_none?

whether to allow authorization when “prompt=none”, false by default.

oauth_prompt_login_cookie_key

try prompt cookie key.

oauth_prompt_login_cookie_options

prompt cookie options.

oauth_prompt_login_interval

prompt cookie lifetime.

require_acr_value_phr

called before authorization request if “phr” in acr values, will request 2-factor authentication if any such ‘rodauth` feature is loaded.

require_acr_value_phrh

called before authorization request if “phrh” in acr values, will request webauthn authentication if ‘webauthn` feature from rodauth is loaded.

require_acr_value

called before authorization request with each acr value, does nothing by default.

json_webfinger_payload

returns the JSON payload from the webfinger response.

before_userinfo_route

Run arbitrary code before the userinfo route.