Skip to main content

Reference

In this section you will discover a comprehensive breakdown of the OpenID Connect Provider (OP) setup options. This page exclusively outlines the supplementary properties that distinguish an OpenID Provider from an OAuth 2.0 Provider. To review their shared properties, please refer to the OAuth 2.0 Provider Reference.

Core

  • JWKs uri: https://<(new.monokee.com/<domain_id>|<domain-custom-fqdn>)>/oauth2/<provider_id>/.well-known/openid-configuration/jwks.json, it's the url of the endpoint that receives the authorization requests. This setting controls the value of jwks_uri parameter in the provider metadata.

  • Supported response types: In addition to the types code and token that are explained in the OAuth 2.0 Provider reference OpenID Connect introduce more values to enable hybrid flow. This setting controls the value of response_types_supported parameter in the provider metadata. This values are available only if the implicit grant type is enabled for the provider:

    • id_token: used to return only the ID token in the authorization endpoint.
    • token: used to return the access token directly in the authorization endpoint.
    • code token: used to return authorization code along with an access token in the authorization endpoint.
    • code id_token: used to return authorization code along with ID token in the authorization endpoint.
    • id_token token: used to return access token along with ID token in the authorization endpoint.
    • code id_token token: used to return authorization code along with an access token and an ID token in the authorization endpoint.

  • Scopes: The list of supported scopes by the OpenID Provider. Scope openid is mandatory for a provider that want to release ID token. OpenID default scope are profile, email, phone and address. This setting controls the value of scopes_supported parameter in the provider metadata.

Advanced

  • Provider endpoints: The differences with the endpoints explained in the OAuth 2.0 Provider reference are the following:

    • Registration endpoint: <base_path>/client/connect/register, it's the url of the endpoint that receives client registration request. It's valid only if Allow self-registration of a client flag in CORE configurations is enabled.

  • Claims parameter supported: If this options is flagged, the provider is able to release claims if the client use the claims parameter in authorization request to ask for specific attributes. This setting controls the value of claims_parameter_supported parameter in the provider metadata.

  • Supported request parameter: If this options is flagged, the provider is able to receive the request parameter in the authorization request. This option allow authorization request to be sent as a single parameter in JWT format (possibly signed and/or encrypted). This setting controls the value of request_parameter_supported parameter in the provider metadata.

  • Supported request_uri parameter: If this options is flagged, the provider is able to receive the request_uri parameter in the authorization request. This option allow authorization request to be sent as uri reference. This setting controls the value of request_uri_parameter_supported parameter in the provider metadata.

  • Supported subject types: This is the list of the supported subject types. This list controls the value of subject_types_supported parameter in the provider metadata. Available values are:

    • public: the subject identifier is a public identifier.
    • pairwise: the subject identifier is optimized for pairwise identifier and is unique per issuer and client, which provides better privacy protection for users.

  • Supported ACR values: This is the list of supported Authentication Context Class Reference (ACR) values. This list controls the value of acr_values_supported parameter in the provider metadata.

  • Supported claims: This is the list of supported claim. This list controls the value of claims_supported parameter in the provider metadata. OpenID connect define the following claims associated to profile, email, phone and address scopes:

    • profile: name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale and updated_at
    • email: email email_verified
    • address: address
    • phone: phone_number phone_number_verified

Signature

  • Signature algorithms for the token ID supported:

  • Signature algorithms for the userinfo object supported:

  • Signature algorithms for the request supported:

  • Signature: This is a list of key-pairs that are valid for the provider. Two element must be configured:

    • Certificate: This is the certificate that will be inserted parameter in the provider metadata and shared with the parties involved in the process.
    • Private Key: This is the private key used to sign id token or userinfo object message. It must be in PKCS1 or PKCS8 format.