Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • /oauth2/auth or /oauth2/authorize - OpenID Connect Auth endpoint (the two are just different names for the same).
  • /oauth2/token - OpenID Connect Token endpoint.
  • /oauth2/userinfo - OpenID Connect Userinfo endpoint - requires previously issued access-token as bearer token to call it.
  • /oauth2/jwks.json . OpenID Connect JWK key list endpoint.
  • /oauth2/confirm - Called to confirm the user's consent to redirect back to the resource provider.
  • /oauth2/reject - Called if the user rejects consent, and will result in the user being redirected back to the resource provider with an error message instead of his id_token.
  • /oauth2/introspect - OAuth2 introspection endpoint - see https://tools.ietf.org/html/rfc7662 for info. (Requires v5.70.3 or higher).
  • /oauth2/revoke - OAuth2 token revocation endpoint - see https://tools.ietf.org/html/rfc7009 for info. (Requires v5.70.3 or higher).


The endpoints depend on configuration for JWT/OpenID Connect tokens, which is documented here: JWT / OpenID Connect

...

Code Block
    {
      "response.contenttype": "application/json;charset=UTF8",
      "location.enabled": true,
      "content.preload": false,
      "description": "Discovery URL for OpenID Connect configuration",
      "session.override": false,
      "response.reason": "OK",
      "cookiesnapper": {},
      "plugin": {},
      "valid.methods": "GET",
      "session.needed": false,
      "response.compress": false,
      "name": "OpenID Connect IDP Configuration",
      "conditions.type": "and",
      "action": "respond",
      "conditions": [
        {
          "deny": false,
          "values": ["/.well-known/openid-configuration"],
          "type": "path"
        },
        {
          "deny": false,
          "values": ["https"],
          "type": "scheme"
        },
        {
          "deny": false,
          "values": ["GET"],
          "type": "method"
        }
      ],
      "response.status": 200,
      "response.content": "{\r\n   \"issuer\": \"https://test.portalprotect.dk\",\r\n   \"authorization_endpoint\": \"https://%{HTTP_HOST}/oauth2/auth\",\r\n   \"token_endpoint\": \"https://%{HTTP_HOST}/oauth2/token\",\r\n   \"userinfo_endpoint\": \"https://%{HTTP_HOST}/oauth2/userinfo\",\r\n   \"end_session_endpoint\": \"https://%{HTTP_HOST}/oauth2/logout\",\r\n   \"jwks_uri\": \"https://%{HTTP_HOST}/oauth2/jwks.json\",\r\n   \"scopes_supported\": [\"openid\", \"profile\", \"email\", \"address\", \"phone\"],\r\n   \"response_types_supported\": [\"code\", \"code id_token\", \"id_token\", \"token id_token\"],\r\n   \"subject_types_supported\": [\"public\", \"pairwise\"],\r\n   \"userinfo_signing_alg_values_supported\": [\"RS256\", \"ES256\", \"HS256\"],\r\n   \"id_token_signing_alg_values_supported\": [\"RS256\", \"ES256\", \"HS256\"],\r\n   \"claims_supported\": [\"sub\", \"iss\", \"auth_time\", \"acr\", \"name\", \"given_name\", \"family_name\", \"nickname\", \"profile\", \"picture\", \"website\", \"email\", \"email_verified\", \"locale\"],\r\n   \"grant_types_supported\": [\"authorization_code\", \"implicit\", \"refresh_token\"],\r\n   \"token_endpoint_auth_methods_supported\": [\"client_secret_post\", \"client_secret_basic\"]\r\n}"
    },


Example JSON

...

Configuration for OAuth2 Locations

Below, is an example of a location configuration you can cut'n paste into the Gateway Configuration. This is provided as a location with several nested locations - all capable of handling the various OAuth2 / OpenID Connect endpoints without requiring separate applications.

...