NAME

OIDC::Client::Config - Configuration Documentation

DESCRIPTION

These configuration entries apply to all framework plugins included in the OIDC-Client distribution.

For direct use with the OIDC::Client module, all entries beginning with provider."provider". apply, but this prefix must be removed from the configuration entry names.

ENTRIES

store_mode

Defines where the tokens are stored.

Possible values (session by default) :

session

Stored data persists between requests until the session expires.

stash

Stored data can only be accessed in the current request. This may be useful for an API which must validate the token in the Authorization header for each request (Resource Server).

authentication_error_path

Relative path of the endpoint to which the browser is redirected if an error is returned by the provider during the callback to the application after an authentication attempt, if an error occurs when the token is retrieved in exchange for the code or if an error occurs when verifying the token.

From the redirection endpoint, the error message is present in error_message flash data.

If this path is not configured, an OIDC::Client::Error::Authentication error is thrown.

provider."provider".proxy_detect

If true, detects the proxy server based on environment variables.

provider."provider".user_agent

Changes the user agent name.

provider."provider".id

OIDC client ID supplied by your provider. Mandatory

provider."provider".secret

OIDC client secret supplied by your provider.

If not present, the secret must be defined in the OIDC_${provider}_SECRET environment variable.

provider."provider".audience

Specifies the provider for whom the access token is intended.

If this parameter is omitted, the access token returned by the provider is intended for your OIDC client (useful for making token exchanges).

For an application, it's better to leave this parameter out and make token exchanges if you need to make API calls to other applications, but it can be useful for a batch if you know that the API calls will be made to a single application.

provider."provider".role_prefix

Defines a prefix common to the roles that will be ignored during a comparison test between a role to be verified and the list of user roles.

For example, with MYAPP. prefix, you cand do :

my $can_access_app = $auth_user->has_role('USER');

instead of :

my $can_access_app = $auth_user->has_role('MYAPP.USER');

provider."provider".well_known_url

Endpoint which allows the library to retrieve the provider's metadata at the time of instantiation of the OIDC client only.

If it's not defined, the following parameters must be manually specified when required:

issuer

Provider identifier which must correspond exactly to the iss claim of the tokens received.

jwks_url

Endpoint for publishing the keys to be used to verify the signature of a JWT token.

authorize_url

Endpoint from which an interaction takes place between the provider and the browser in order to authenticate the user.

token_url

Endpoint on which the backend exchanges an authorization code with a token or refreshes a token.

userinfo_url

Endpoint used to retrieve user information.

end_session_url

Endpoint used to clean up the user session on the provider side.

You can also configure the well know URL and _overload_ one or more metadata with these same configuration entries.

provider."provider".signin_redirect_path

Relative path of the endpoint used by the provider to redirect the user's browser to the application once authentication has been completed.

provider."provider".signin_redirect_uri

Alternative to signin_redirect_path

Absolute path to the endpoint used by the provider to redirect the user's browser to the application once authentication has been completed.

provider."provider".scope

String with space separators defining the desired scope of rights of the requested token.

provider."provider".expiration_leeway

Number of seconds of leeway for a token to be considered expired before it actually is.

provider."provider".decode_jwt

Options to be transferred to the Crypt::JWT::decode_jwt() function used to validate and decode a JWT token.

By default, the transmitted options are :

leeway: 60

Clock skew of 1 minute

provider."provider".claim_mapping

Used to map the claims of an ID token to the identity hashref and/or the user informations to an OIDC::Client::User object.

By default, no mapping is used.

provider."provider".audience_alias

Audience configuration for token exchanges.

Gives an alias to an audience rather than using the technical identifier.

For example :

<audience_alias other_app_name>
    audience    other-app-audience
</audience_alias>

provider."provider".audience_alias.audience

Audience to be used for this audience alias.

provider."provider".audience_alias.scope

String with space separators defining the desired scope of rights of the requested exchanged token.

provider."provider".authorize_endpoint_response_mode

Defines how tokens are sent by the provider.

Can take one of these values:

query

Tokens are sent in query parameters.

form_post

Tokens are sent in a POST form.

provider."provider".authorize_endpoint_extra_params

Defines additional parameters to be sent to the provider when the authorize endpoint is called.

provider."provider".token_endpoint_grant_type

Defines the grant_type parameter to be sent to the provider when the token endpoint is called.

Can take one of these values (authorization_code by default) :

authorization_code
client_credentials
password

provider."provider".token_endpoint_auth_method

Defines the authentication method to be used when calling the token endpoint.

Can take one of these values (post by default) :

post

The client id and secret are sent in the POST body.

basic

The client id and the secret are sent in an Authorization header.

provider."provider".username

For a grant_type password, specifies the technical account to be used.

provider."provider".password

For a grant_type password, specifies the technical account password to be used.

provider."provider".logout_redirect_path

Relative path of the endpoint used by the provider to redirect the user's browser to the application once the session has been cleaned up on the provider side.

provider."provider".post_logout_redirect_uri

Alternative to logout_redirect_path

Absolute path to the endpoint used by the provider to redirect the user's browser to the application once the session has been cleaned up on the provider side.

provider."provider".logout_with_id_token

Specifies whether the token id should be sent to the provider when the end_session endpoint is called.

True by default

provider."provider".logout_extra_params

Defines additional parameters to be sent to the provider when the end_session endpoint is called.

provider."provider".mocked_identity

For local use only, bypasses the authentication flow by directly defining a mocked object representing an identity.

Example:

<mocked_identity>
    login       DOEJ
    lastname    Doe
    firstname   John
    email       john.doe@gmail.com
    roles       MYAPP.ROLE1
    roles       MYAPP.ROLE2
</mocked_identity>

provider."provider".mocked_claims

For local use only, allows the verification of a token to be bypassed by directly defining a mocked object representing the claims.

Example:

<mocked_claims>
    sub         DOEJ
    exp         123456
    aud         MYAPP
    scp         scope1
    scp         scope2
</mocked_claims>

provider."provider".mocked_userinfo

For local use only, allows you to directly define a mocked object representing userinfo.

Example:

<mocked_userinfo>
    sub         DOEJ
    lastName    Doe
    firstName   John
    email       john.doe@gmail.com
    roles       MYAPP.ROLE1
    roles       MYAPP.ROLE2
</mocked_userinfo>