docs: refactor oidc config docs (#4892)
parent
726850fe43
commit
d1147f9ac4
|
@ -402,9 +402,6 @@ This enables the public client type for this client. This is for clients that ar
|
||||||
confidentiality of credentials, you can read more about client types in [RFC6749 Section 2.1]. This is particularly
|
confidentiality of credentials, you can read more about client types in [RFC6749 Section 2.1]. This is particularly
|
||||||
useful for SPA's and CLI tools. This option requires setting the [client secret](#secret) to a blank string.
|
useful for SPA's and CLI tools. This option requires setting the [client secret](#secret) to a blank string.
|
||||||
|
|
||||||
In addition to the standard rules for redirect URIs, public clients can use the `urn:ietf:wg:oauth:2.0:oob` redirect
|
|
||||||
URI.
|
|
||||||
|
|
||||||
#### redirect_uris
|
#### redirect_uris
|
||||||
|
|
||||||
{{< confkey type="list(string)" required="yes" >}}
|
{{< confkey type="list(string)" required="yes" >}}
|
||||||
|
@ -420,7 +417,6 @@ their redirect URIs are as follows:
|
||||||
attempt to authorize will fail and an error will be generated.
|
attempt to authorize will fail and an error will be generated.
|
||||||
2. The redirect URIs are case-sensitive.
|
2. The redirect URIs are case-sensitive.
|
||||||
3. The URI must include a scheme and that scheme must be one of `http` or `https`.
|
3. The URI must include a scheme and that scheme must be one of `http` or `https`.
|
||||||
4. The client can ignore rule 3 and use `urn:ietf:wg:oauth:2.0:oob` if it is a [public](#public) client type.
|
|
||||||
|
|
||||||
#### audience
|
#### audience
|
||||||
|
|
||||||
|
@ -434,30 +430,41 @@ A list of audiences this client is allowed to request.
|
||||||
|
|
||||||
A list of scopes to allow this client to consume. See
|
A list of scopes to allow this client to consume. See
|
||||||
[scope definitions](../../integration/openid-connect/introduction.md#scope-definitions) for more information. The
|
[scope definitions](../../integration/openid-connect/introduction.md#scope-definitions) for more information. The
|
||||||
documentation for the application you want to use with Authelia will most-likely provide you with the scopes to allow.
|
documentation for the application you are trying to configure [OpenID Connect 1.0] for will likely have a list of scopes
|
||||||
|
or claims required which can be matched with the above guide.
|
||||||
|
|
||||||
#### grant_types
|
#### grant_types
|
||||||
|
|
||||||
{{< confkey type="list(string)" default="refresh_token, authorization_code" required="no" >}}
|
{{< confkey type="list(string)" default="refresh_token, authorization_code" required="no" >}}
|
||||||
|
|
||||||
A list of grant types this client can return. *It is recommended that this isn't configured at this time unless you
|
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
|
||||||
know what you're doing*. Valid options are: `implicit`, `refresh_token`, `authorization_code`, `password`,
|
|
||||||
`client_credentials`.
|
The list of grant types this client is permitted to use in order to obtain access to the relevant tokens.
|
||||||
|
|
||||||
|
See the [Grant Types](../../integration/openid-connect/introduction.md#grant-types) section of the
|
||||||
|
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#grant-types) for more information.
|
||||||
|
|
||||||
#### response_types
|
#### response_types
|
||||||
|
|
||||||
{{< confkey type="list(string)" default="code" required="no" >}}
|
{{< confkey type="list(string)" default="code" required="no" >}}
|
||||||
|
|
||||||
A list of response types this client can return. *It is recommended that this isn't configured at this time unless you
|
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
|
||||||
know what you're doing*. Valid options are: `code`, `code id_token`, `id_token`, `token id_token`, `token`,
|
|
||||||
`token id_token code`.
|
A list of response types this client supports.
|
||||||
|
|
||||||
|
See the [Response Types](../../integration/openid-connect/introduction.md#response-types) section of the
|
||||||
|
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#response-types) for more information.
|
||||||
|
|
||||||
#### response_modes
|
#### response_modes
|
||||||
|
|
||||||
{{< confkey type="list(string)" default="form_post, query, fragment" required="no" >}}
|
{{< confkey type="list(string)" default="form_post, query, fragment" required="no" >}}
|
||||||
|
|
||||||
A list of response modes this client can return. It is recommended that this isn't configured at this time unless you
|
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
|
||||||
know what you're doing. Potential values are `form_post`, `query`, and `fragment`.
|
|
||||||
|
A list of response modes this client supports.
|
||||||
|
|
||||||
|
See the [Response Modes](../../integration/openid-connect/introduction.md#response-modes) section of the
|
||||||
|
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#response-modes) for more information.
|
||||||
|
|
||||||
#### authorization_policy
|
#### authorization_policy
|
||||||
|
|
||||||
|
|
|
@ -87,6 +87,68 @@ This scope includes the profile information the authentication backend reports a
|
||||||
| preferred_username | string | username | The username the user used to login with |
|
| preferred_username | string | username | The username the user used to login with |
|
||||||
| name | string | display_name | The users display name |
|
| name | string | display_name | The users display name |
|
||||||
|
|
||||||
|
## Parameters
|
||||||
|
|
||||||
|
The following section describes advanced parameters which can be used in various endpoints as well as their related
|
||||||
|
configuration options.
|
||||||
|
|
||||||
|
### Grant Types
|
||||||
|
|
||||||
|
The following describes the various [OAuth 2.0] and [OpenID Connect 1.0] grant types and their support level. The value
|
||||||
|
field is both the required value for the `grant_type` parameter in the authorization request and the `grant_types`
|
||||||
|
configuration option.
|
||||||
|
|
||||||
|
| Grant Type | Supported | Value | Notes |
|
||||||
|
|:-----------------------------------------------:|:---------:|:----------------------------------------------:|:-------------------------------------------------------------------:|
|
||||||
|
| [OAuth 2.0 Authorization Code] | Yes | `authorization_code` | |
|
||||||
|
| [OAuth 2.0 Resource Owner Password Credentials] | No | `password` | This Grant Type has been deprecated and should not normally be used |
|
||||||
|
| [OAuth 2.0 Client Credentials] | Yes | `client_credentials` | |
|
||||||
|
| [OAuth 2.0 Implicit] | Yes | `implicit` | This Grant Type has been deprecated and should not normally be used |
|
||||||
|
| [OAuth 2.0 Refresh Token] | Yes | `refresh_token` | |
|
||||||
|
| [OAuth 2.0 Device Code] | No | `urn:ietf:params:oauth:grant-type:device_code` | |
|
||||||
|
|
|
||||||
|
|
||||||
|
[OAuth 2.0 Authorization Code]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1
|
||||||
|
[OAuth 2.0 Implicit]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.2
|
||||||
|
[OAuth 2.0 Resource Owner Password Credentials]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.3
|
||||||
|
[OAuth 2.0 Client Credentials]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4
|
||||||
|
[OAuth 2.0 Refresh Token]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
|
||||||
|
[OAuth 2.0 Device Code]: https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
|
||||||
|
|
||||||
|
### Response Types
|
||||||
|
|
||||||
|
The following describes the supported response types. See the [OAuth 2.0 Multiple Response Type Encoding Practices] for
|
||||||
|
more technical information.
|
||||||
|
|
||||||
|
| Flow Type | Values |
|
||||||
|
|:-------------------------:|:---------------------:|
|
||||||
|
| [Authorization Code Flow] | `code` |
|
||||||
|
| [Implicit Flow] | `token id_token` |
|
||||||
|
| [Implicit Flow] | `id_token` |
|
||||||
|
| [Implicit Flow] | `token` |
|
||||||
|
| [Hybrid Flow] | `code token` |
|
||||||
|
| [Hybrid Flow] | `code id_token` |
|
||||||
|
| [Hybrid Flow] | `code token id_token` |
|
||||||
|
|
||||||
|
[Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
|
||||||
|
[Implicit Flow]: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
|
||||||
|
[Hybrid Flow]: https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth
|
||||||
|
|
||||||
|
[OAuth 2.0 Multiple Response Type Encoding Practices]: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
|
||||||
|
|
||||||
|
### Response Modes
|
||||||
|
|
||||||
|
The following describes the supported response modes. See the [OAuth 2.0 Multiple Response Type Encoding Practices] for
|
||||||
|
more technical information.
|
||||||
|
|
||||||
|
| Name | Value |
|
||||||
|
|:---------------------:|:-----------:|
|
||||||
|
| Query String | `query` |
|
||||||
|
| Fragment | `fragment` |
|
||||||
|
| [OAuth 2.0 Form Post] | `form_post` |
|
||||||
|
|
||||||
|
[OAuth 2.0 Form Post]: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
|
||||||
|
|
||||||
## Authentication Method References
|
## Authentication Method References
|
||||||
|
|
||||||
Authelia currently supports adding the `amr` [Claim] to the [ID Token] utilizing the [RFC8176] Authentication Method
|
Authelia currently supports adding the `amr` [Claim] to the [ID Token] utilizing the [RFC8176] Authentication Method
|
||||||
|
|
Loading…
Reference in New Issue