NAME
OIDC::Client::Config - Configuration Documentation
DESCRIPTION
These configuration entries apply to all framework plugins using the OIDC-Client distribution.
For direct use with the OIDC::Client module, all entries beginning with provider."provider". apply, but this prefix must be removed from the configuration entry names.
ENTRIES
default_provider
Defines the provider name to use by the framework plugin when no one has been specified in the call to the oidc($provider) method.
authentication_error_path
Relative path of the endpoint to which the browser is redirected if an error is returned by the provider during the callback to the application after an authentication attempt, if an error occurs when the token is retrieved in exchange for the code or if an error occurs when verifying the token.
From the redirection endpoint, the error message is present in error_message flash data.
If this path is not configured, an OIDC::Client::Error::Authentication error is thrown.
provider."provider".store_mode
Defines where the tokens are stored for this provider.
Possible values (session by default) :
- session
-
Stored data persists between requests until the session expires.
- stash
-
Stored data can only be accessed in the current request. This may be useful for an API which must validate the token in the
Authorizationheader for each request (Resource Server).
provider."provider".proxy_detect
If true, detects the proxy server based on environment variables.
provider."provider".user_agent
Changes the user agent name.
provider."provider".id
OIDC client ID supplied by your provider. Mandatory
provider."provider".secret
OIDC client secret supplied by your provider.
If not present, the secret must be defined in the OIDC_${provider}_SECRET environment variable.
provider."provider".audience
Specifies the provider for whom the access token is intended.
If this parameter is omitted, the access token returned by the provider is intended for your OIDC client (useful for making token exchanges).
For an application, it's better to leave this parameter out and make token exchanges if you need to make API calls to other applications, but it can be useful for a batch if you know that the API calls will be made to a single application.
provider."provider".role_prefix
Defines a prefix common to the roles that will be ignored during a comparison test between a role to be verified and the list of user roles.
For example, with MYAPP. prefix, you cand do :
my $can_access_app = $auth_user->has_role('USER');instead of :
my $can_access_app = $auth_user->has_role('MYAPP.USER');provider."provider".well_known_url
Endpoint which allows the library to retrieve the provider's metadata at the time of instantiation of the OIDC client only.
If it's not defined, the following parameters must be manually specified when required:
- issuer
-
Provider identifier which must correspond exactly to the
issclaim of the tokens received. - jwks_url
-
Endpoint for publishing the keys to be used to verify the signature of a JWT token.
-
Endpoint from which an interaction takes place between the provider and the browser in order to authenticate the user.
- token_url
-
Endpoint on which the backend exchanges an authorization code with a token or refreshes a token.
- userinfo_url
-
Endpoint used to retrieve user information.
- end_session_url
-
Endpoint used to clean up the user session on the provider side.
You can also configure the well know URL and _overload_ one or more metadata with these same configuration entries.
provider."provider".signin_redirect_path
Relative path of the endpoint used by the provider to redirect the user's browser to the application once authentication has been completed.
provider."provider".signin_redirect_uri
Alternative to signin_redirect_path
Absolute path to the endpoint used by the provider to redirect the user's browser to the application once authentication has been completed.
provider."provider".scope
String with space separators defining the desired scope of rights of the requested token.
provider."provider".identity_expires_in
Number of seconds to add to the current time (when the ID token is retrieved) to force an expiration time. This overrides the expiration time specified in the exp claim, which is used by default.
The value 0 means that there is no expiration time for the stored identity (lifetime of the current session).
provider."provider".expiration_leeway
Number of seconds of leeway for a token to be considered expired before it actually is.
provider."provider".decode_jwt
Options to be transferred to the Crypt::JWT::decode_jwt() function used to validate and decode a JWT token.
By default, the transmitted options are :
provider."provider".claim_mapping
Used to map token claims or user information to an OIDC::Client::User object.
By default, no mapping is used.
provider."provider".audience_alias
Audience configuration for token exchanges.
Gives an alias to an audience rather than using the technical identifier.
For example :
<audience_alias other_app_name>
audience other-app-audience
</audience_alias>provider."provider".audience_alias.audience
Audience to be used for this audience alias.
provider."provider".audience_alias.scope
String with space separators defining the desired scope of rights of the requested exchanged token.
provider."provider".authorize_endpoint_response_mode
Defines how tokens are sent by the provider.
Can take one of these values:
- query
-
Tokens are sent in query parameters.
- form_post
-
Tokens are sent in a POST form.
provider."provider".authorize_endpoint_extra_params
Defines additional parameters to be sent to the provider when the authorize endpoint is called.
provider."provider".token_endpoint_grant_type
Defines the grant_type parameter to be sent to the provider when the token endpoint is called.
Can take one of these values (authorization_code by default) :
- client_credentials
- password
provider."provider".token_endpoint_auth_method
Defines the authentication method to be used when calling the token endpoint.
Can take one of these values (post by default) :
- post
-
The client id and secret are sent in the POST body.
- basic
-
The client id and the secret are sent in an
Authorizationheader.
provider."provider".username
For a grant_type password, specifies the technical account to be used.
provider."provider".password
For a grant_type password, specifies the technical account password to be used.
provider."provider".logout_redirect_path
Relative path of the endpoint used by the provider to redirect the user's browser to the application once the session has been cleaned up on the provider side.
provider."provider".post_logout_redirect_uri
Alternative to logout_redirect_path
Absolute path to the endpoint used by the provider to redirect the user's browser to the application once the session has been cleaned up on the provider side.
provider."provider".logout_with_id_token
Specifies whether the token id should be sent to the provider when the end_session endpoint is called.
True by default
provider."provider".logout_extra_params
Defines additional parameters to be sent to the provider when the end_session endpoint is called.
provider."provider".mocked_identity
For local use only, bypasses the authentication flow by directly defining a mocked object representing an OIDC::Client::Identity object.
Example:
<mocked_identity>
subject DOEJ
token abcd1234
<claims>
sub DOEJ
lastName Doe
firstName John
email john.doe@gmail.com
roles MYAPP.ROLE1
roles MYAPP.ROLE2
</claims>
</mocked_identity>provider."provider".mocked_access_token
For local use only, allows the verification of a token to be bypassed by directly defining a mocked object representing an OIDC::Client::AccessToken object. Also used when retrieving an OIDC::Client::AccessToken object from the store.
Example:
<mocked_access_token>
token abcd1234
scopes scope1
scopes scope2
</mocked_access_token>provider."provider".mocked_userinfo
For local use only, allows you to directly define a mocked object representing userinfo.
Example:
<mocked_userinfo>
sub DOEJ
lastName Doe
firstName John
email john.doe@gmail.com
roles MYAPP.ROLE1
roles MYAPP.ROLE2
</mocked_userinfo>