Skip to content
This repository has been archived by the owner on Jul 31, 2023. It is now read-only.

Commit

Permalink
Merge pull request nokia#5 from skylineos/feature/unknown-discovery-e…
Browse files Browse the repository at this point in the history 
…ndpoint-support

discovery_override added to schema, README update and utils.get_optio…
  • Loading branch information
Brian Andress authored Jan 28, 2020
2 parents 5ed8692 + acd9ab2 commit f05fe3b
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 55 deletions.
55 changes: 38 additions & 17 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,23 +67,44 @@ You also need to set the `KONG_PLUGINS` environment variable

### Parameters

| Parameter | Default | Required | description |
| --- | --- | --- | --- |
| `name` || true | plugin name, has to be `oidc` |
| `config.client_id` || true | OIDC Client ID |
| `config.client_secret` || true | OIDC Client secret |
| `config.discovery` | https://.well-known/openid-configuration | false | OIDC Discovery Endpoint (`/.well-known/openid-configuration`) |
| `config.scope` | openid | false| OAuth2 Token scope. To use OIDC it has to contains the `openid` scope. Note if using `refresh_token` grant then include `offline_access` as a scope. |
| `config.ssl_verify` | false | false | Enable SSL verification to OIDC Provider |
| `config.session_secret` | | false | Additional parameter, which is used to encrypt the session cookie. Needs to be random |
| `config.introspection_endpoint` | | false | Token introspection endpoint |
| `config.timeout` | | false | OIDC endpoint calls timeout |
| `config.introspection_endpoint_auth_method` | client_secret_basic | false | Token introspection auth method. resty-openidc supports `client_secret_(basic|post)` |
| `config.bearer_only` | no | false | Only introspect tokens without redirecting |
| `config.realm` | kong | false | Realm used in WWW-Authenticate response header |
| `config.logout_path` | /logout | false | Absolute path used to logout from the OIDC RP |
| `config.redirect_uri` || true | URI (absolute, e.g. http://website.com) to which authorization code is sent back from OIDC Provider |
| `config.prompt`|| false | Valid values include `none`, `login`, `consent` and/or `select_account`. Note if using `refresh_token` grant then `consent` is required. See [https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) |
| Parameter | Default | Required | description |
| ------------------------------------------- | ---------------------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `name` | | true | plugin name, has to be `oidc` |
| `config.client_id` | | true | OIDC Client ID |
| `config.client_secret` | | true | OIDC Client secret |
| `config.discovery` | https://.well-known/openid-configuration | true | OIDC Discovery Endpoint (`/.well-known/openid-configuration`) |
| `config.discovery_override` | | false | This is a **map** type with multiple properties. See [Discovery Override](#discovery-override) below. |
| `config.scope` | openid | false | OAuth2 Token scope. To use OIDC it has to contains the `openid` scope. Note if using `refresh_token` grant then include `offline_access` as a scope. |
| `config.ssl_verify` | false | false | Enable SSL verification to OIDC Provider |
| `config.session_secret` | | false | Additional parameter, which is used to encrypt the session cookie. Needs to be random |
| `config.introspection_endpoint` | | false | Token introspection endpoint |
| `config.timeout` | | false | OIDC endpoint calls timeout |
| `config.introspection_endpoint_auth_method` | client_secret_basic | false | Token introspection auth method. resty-openidc supports `client_secret_(basic|post)` |
| `config.bearer_only` | no | false | Only introspect tokens without redirecting |
| `config.realm` | kong | false | Realm used in WWW-Authenticate response header |
| `config.logout_path` | /logout | false | Absolute path used to logout from the OIDC RP |
| `config.redirect_uri` | | true | URI (absolute, e.g. http://website.com) to which authorization code is sent back from OIDC Provider |
| `config.prompt` | | false | Valid values include `none`, `login`, `consent` and/or `select_account`. Note if using `refresh_token` grant then `consent` is required. See [https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) |

#### Discovery Override

The following properties should be used if the **Discovery Endpoint** of the OIDC IDP is not available and/or known.

The descriptions for the following parameters were referenced from the following websites:
* [OpenId.net](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
* [IdentityServer4](http://docs.identityserver.io/en/latest/index.html)
* **Note:** this is not the standard creator for OIDC but does provide valid descriptions and detail regarding purpose of endpoints.

| Parameter | Required | Description |
| ------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `config.discovery.authorization_endpoint` | true | URL of the OP's OAuth 2.0 Authorization Endpoint. |
| `config.discovery.token_endpoint` | true | URL of the OP's OAuth 2.0 Token Endpoint. This is REQUIRED unless only the Implicit Flow is used. |
| `config.discovery.userinfo_endpoint` | true | RECOMMENDED. URL of the OP's UserInfo Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. |
| `config.discovery.jwks_uri` | true | REQUIRED. URL of the OP's JSON Web Key Set document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. |
| `config.discovery.revocation_endpoint` | true | This endpoint allows revoking access tokens (reference tokens only) and refresh token. |
| `config.discovery.issuer` | true | REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported, this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. |
| `config.discovery.introspection_endpoint` | false | It can be used to validate reference tokens (or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries). |
| `config.discovery.end_session_endpoint` | false | The end session endpoint can be used to trigger single sign-out. |

### Enabling

Expand Down
Loading

0 comments on commit f05fe3b

Please sign in to comment.