Commit 1dc99ce8 authored by Clément OUDOT's avatar Clément OUDOT
Browse files

Improve OpenID Connect configuration (#820)

parent a1855c04
......@@ -132,18 +132,30 @@ sub defaultValues {
'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications'
},
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'notifyOther' => 0,
'nullAuthnLevel' => 2,
'oidcAuthnLevel' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPStateTimeout' => 600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceAllowDynamicRegistration' => 0,
'oidcServiceAllowHybridFlow' => 0,
'oidcServiceAllowImplicitFlow' => 0,
'oidcServiceMetaDataAuthnContext' => {
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'notifyOther' => 0,
'nullAuthnLevel' => 2,
'oidcAuthnLevel' => 1,
'oidcOPMetaDataOptionsCheckJWTSignature' => 1,
'oidcOPMetaDataOptionsDisplay' => '',
'oidcOPMetaDataOptionsIDTokenMaxAge' => 30,
'oidcOPMetaDataOptionsJWKSTimeout' => 0,
'oidcOPMetaDataOptionsMaxAge' => 0,
'oidcOPMetaDataOptionsPrompt' => 'login consent',
'oidcOPMetaDataOptionsScope' => 'openid profile',
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => 'client_secret_post',
'oidcOPMetaDataOptionsUseNonce' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPMetaDataOptionsAccessTokenExpiration' => 3600,
'oidcRPMetaDataOptionsIDTokenExpiration' => 3600,
'oidcRPMetaDataOptionsIDTokenSignAlg' => 'HS512',
'oidcRPStateTimeout' => 600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceAllowDynamicRegistration' => 0,
'oidcServiceAllowHybridFlow' => 0,
'oidcServiceAllowImplicitFlow' => 0,
'oidcServiceMetaDataAuthnContext' => {
'loa-1' => 1,
'loa-2' => 2,
'loa-3' => 3,
......
......@@ -1194,7 +1194,8 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'type' => 'text'
},
'oidcOPMetaDataOptionsCheckJWTSignature' => {
'type' => 'bool'
'default' => 1,
'type' => 'bool'
},
'oidcOPMetaDataOptionsClientID' => {
'type' => 'text'
......@@ -1206,7 +1207,30 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'type' => 'text'
},
'oidcOPMetaDataOptionsDisplay' => {
'type' => 'text'
'default' => '',
'select' => [
{
'k' => '',
'v' => ''
},
{
'k' => 'page',
'v' => 'page'
},
{
'k' => 'popup',
'v' => 'popup'
},
{
'k' => 'touch',
'v' => 'touch'
},
{
'k' => 'wap',
'v' => 'wap'
}
],
'type' => 'select'
},
'oidcOPMetaDataOptionsDisplayName' => {
'type' => 'text'
......@@ -1215,28 +1239,45 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'type' => 'text'
},
'oidcOPMetaDataOptionsIDTokenMaxAge' => {
'type' => 'int'
'default' => 30,
'type' => 'int'
},
'oidcOPMetaDataOptionsJWKSTimeout' => {
'type' => 'int'
'default' => 0,
'type' => 'int'
},
'oidcOPMetaDataOptionsMaxAge' => {
'type' => 'int'
'default' => 0,
'type' => 'int'
},
'oidcOPMetaDataOptionsPrompt' => {
'type' => 'text'
'default' => 'login consent',
'type' => 'text'
},
'oidcOPMetaDataOptionsScope' => {
'type' => 'text'
'default' => 'openid profile',
'type' => 'text'
},
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => {
'type' => 'text'
'default' => 'client_secret_post',
'select' => [
{
'k' => 'client_secret_post',
'v' => 'client_secret_post'
},
{
'k' => 'client_secret_basic',
'v' => 'client_secret_basic'
}
],
'type' => 'select'
},
'oidcOPMetaDataOptionsUiLocales' => {
'type' => 'text'
},
'oidcOPMetaDataOptionsUseNonce' => {
'type' => 'bool'
'default' => 1,
'type' => 'bool'
},
'oidcRPCallbackGetParam' => {
'default' => 'openidconnectcallback',
......@@ -1252,7 +1293,8 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'type' => 'subContainer'
},
'oidcRPMetaDataOptionsAccessTokenExpiration' => {
'type' => 'int'
'default' => 3600,
'type' => 'int'
},
'oidcRPMetaDataOptionsClientID' => {
'type' => 'text'
......@@ -1270,10 +1312,42 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'type' => 'text'
},
'oidcRPMetaDataOptionsIDTokenExpiration' => {
'type' => 'int'
'default' => 3600,
'type' => 'int'
},
'oidcRPMetaDataOptionsIDTokenSignAlg' => {
'type' => 'text'
'default' => 'HS512',
'select' => [
{
'k' => 'none',
'v' => 'None'
},
{
'k' => 'HS256',
'v' => 'HS256'
},
{
'k' => 'HS384',
'v' => 'HS384'
},
{
'k' => 'HS512',
'v' => 'HS512'
},
{
'k' => 'RS256',
'v' => 'RS256'
},
{
'k' => 'RS384',
'v' => 'RS384'
},
{
'k' => 'RS512',
'v' => 'RS512'
}
],
'type' => 'select'
},
'oidcRPMetaDataOptionsRedirectUris' => {
'type' => 'text'
......
......@@ -2138,10 +2138,14 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
},
# OpenID Connect metadata nodes
oidcOPMetaDataNodes =>
{ type => 'oidcOPMetaDataNodeContainer', help => 'oidcop.html', },
oidcRPMetaDataNodes =>
{ type => 'oidcRPMetaDataNodeContainer', help => 'oidcrp.html', },
oidcOPMetaDataNodes => {
type => 'oidcOPMetaDataNodeContainer',
help => 'idpopenidconnect.html',
},
oidcRPMetaDataNodes => {
type => 'oidcRPMetaDataNodeContainer',
help => 'authopenidconnect.html',
},
oidcOPMetaDataOptions => { type => 'subContainer', },
oidcRPMetaDataOptions => { type => 'subContainer', },
......@@ -2149,22 +2153,42 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
oidcOPMetaDataJSON => { type => 'file', },
oidcOPMetaDataJWKS => { type => 'file', },
oidcOPMetaDataExportedVars => { type => 'keyTextContainer', },
oidcOPMetaDataOptionsConfigurationURI => { type => 'text', },
oidcOPMetaDataOptionsJWKSTimeout => { type => 'int', },
oidcOPMetaDataOptionsClientID => { type => 'text', },
oidcOPMetaDataOptionsClientSecret => { type => 'password', },
oidcOPMetaDataOptionsScope => { type => 'text', },
oidcOPMetaDataOptionsDisplay => { type => 'text', },
oidcOPMetaDataOptionsPrompt => { type => 'text', },
oidcOPMetaDataOptionsMaxAge => { type => 'int', },
oidcOPMetaDataOptionsUiLocales => { type => 'text', },
oidcOPMetaDataOptionsAcrValues => { type => 'text', },
oidcOPMetaDataOptionsTokenEndpointAuthMethod => { type => 'text', },
oidcOPMetaDataOptionsCheckJWTSignature => { type => 'bool', },
oidcOPMetaDataOptionsIDTokenMaxAge => { type => 'int', },
oidcOPMetaDataOptionsUseNonce => { type => 'bool', },
oidcOPMetaDataOptionsDisplayName => { type => 'text', },
oidcOPMetaDataOptionsIcon => { type => 'text', },
oidcOPMetaDataOptionsConfigurationURI => { type => 'url', },
oidcOPMetaDataOptionsJWKSTimeout => { type => 'int', default => 0 },
oidcOPMetaDataOptionsClientID => { type => 'text', },
oidcOPMetaDataOptionsClientSecret => { type => 'password', },
oidcOPMetaDataOptionsScope =>
{ type => 'text', default => 'openid profile' },
oidcOPMetaDataOptionsDisplay => {
type => 'select',
select => [
{ k => '', v => '' },
{ k => 'page', v => 'page' },
{ k => 'popup', v => 'popup' },
{ k => 'touch', v => 'touch' },
{ k => 'wap', v => 'wap' },
],
default => "",
},
oidcOPMetaDataOptionsPrompt =>
{ type => 'text', default => 'login consent' },
oidcOPMetaDataOptionsMaxAge => { type => 'int', default => 0 },
oidcOPMetaDataOptionsUiLocales => { type => 'text', },
oidcOPMetaDataOptionsAcrValues => { type => 'text', },
oidcOPMetaDataOptionsTokenEndpointAuthMethod => {
type => 'select',
select => [
{ k => 'client_secret_post', v => 'client_secret_post' },
{ k => 'client_secret_basic', v => 'client_secret_basic' },
],
default => 'client_secret_post',
},
oidcOPMetaDataOptionsCheckJWTSignature =>
{ type => 'bool', default => 1 },
oidcOPMetaDataOptionsIDTokenMaxAge => { type => 'int', default => 30 },
oidcOPMetaDataOptionsUseNonce => { type => 'bool', default => 1 },
oidcOPMetaDataOptionsDisplayName => { type => 'text', },
oidcOPMetaDataOptionsIcon => { type => 'text', },
# OpenID Connect relying parties
oidcRPMetaDataExportedVars => { type => 'keyTextContainer', },
......@@ -2173,11 +2197,25 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
oidcRPMetaDataOptionsDisplayName => { type => 'text', },
oidcRPMetaDataOptionsIcon => { type => 'text', },
oidcRPMetaDataOptionsUserIDAttr => { type => 'text', },
oidcRPMetaDataOptionsIDTokenSignAlg => { type => 'text', },
oidcRPMetaDataOptionsIDTokenExpiration => { type => 'int', },
oidcRPMetaDataOptionsAccessTokenExpiration => { type => 'int', },
oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
oidcRPMetaDataOptionsExtraClaims => { type => 'keyTextContainer', },
oidcRPMetaDataOptionsIDTokenSignAlg => {
type => 'select',
select => [
{ k => 'none', v => 'None' },
{ k => 'HS256', v => 'HS256' },
{ k => 'HS384', v => 'HS384' },
{ k => 'HS512', v => 'HS512' },
{ k => 'RS256', v => 'RS256' },
{ k => 'RS384', v => 'RS384' },
{ k => 'RS512', v => 'RS512' },
],
default => 'HS512',
},
oidcRPMetaDataOptionsIDTokenExpiration =>
{ type => 'int', default => 3600 },
oidcRPMetaDataOptionsAccessTokenExpiration =>
{ type => 'int', default => 3600 },
oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
oidcRPMetaDataOptionsExtraClaims => { type => 'keyTextContainer', },
};
}
......
......@@ -128,6 +128,7 @@ sub cTrees {
nodes => [
{
title => 'oidcOPMetaDataOptionsConfiguration',
form => 'simpleInputContainer',
nodes => [
'oidcOPMetaDataOptionsConfigurationURI',
'oidcOPMetaDataOptionsJWKSTimeout',
......@@ -137,6 +138,7 @@ sub cTrees {
},
{
title => 'oidcOPMetaDataOptionsProtocol',
form => 'simpleInputContainer',
nodes => [
'oidcOPMetaDataOptionsScope',
'oidcOPMetaDataOptionsDisplay',
......@@ -152,6 +154,7 @@ sub cTrees {
},
{
title => 'oidcOPMetaDataOptionsDisplayParams',
form => 'simpleInputContainer',
nodes => [
'oidcOPMetaDataOptionsDisplayName',
'oidcOPMetaDataOptionsIcon'
......@@ -167,6 +170,7 @@ sub cTrees {
nodes => [
{
title => 'oidcRPMetaDataOptionsAuthentication',
form => 'simpleInputContainer',
nodes => [
'oidcRPMetaDataOptionsClientID',
'oidcRPMetaDataOptionsClientSecret'
......@@ -174,6 +178,7 @@ sub cTrees {
},
{
title => 'oidcRPMetaDataOptionsDisplay',
form => 'simpleInputContainer',
nodes => [
'oidcRPMetaDataOptionsDisplayName',
'oidcRPMetaDataOptionsIcon'
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment