diff options
Diffstat (limited to 'template/reclaim/idps.html.j2')
-rw-r--r-- | template/reclaim/idps.html.j2 | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/template/reclaim/idps.html.j2 b/template/reclaim/idps.html.j2 new file mode 100644 index 00000000..5101b0d7 --- /dev/null +++ b/template/reclaim/idps.html.j2 | |||
@@ -0,0 +1,30 @@ | |||
1 | {% extends "common/base.j2" %} | ||
2 | {% block body_content %} | ||
3 | <div class="m-3"> | ||
4 | <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / IdPs | ||
5 | </div> | ||
6 | <h2 class="text-center">{{ _("For IdPs") }}</h2> | ||
7 | <br/> | ||
8 | <div class="container"> | ||
9 | <h2><b>Step 1:</b> OpenID Service</h2> | ||
10 | As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the <a href="https://openid.net/developers/certified/">OpenID website</a>. | ||
11 | One important caveat is that the server should allow you to issue user information inside the signed "ID Token". | ||
12 | The configuration regarding what user information goes into the token is of course completely under your discretion. | ||
13 | |||
14 | <h2 class="mt-5"><b>Step 2:</b> Configuring the reclaimID client</h2> | ||
15 | reclaimID uses special client values which must be registered at the OpenID server. The values are: | ||
16 | <ul> | ||
17 | <li><b>Client ID</b>: reclaimid</li> | ||
18 | <li><b>Client secret</b>: none (public client)</li> | ||
19 | <li><b>Redirect URI</b>: https://ui.reclaim</li> | ||
20 | <li><b>Grant type</b>: Authorization code</li> | ||
21 | <li><b>PKCE</b>: enabled (Optional but highly recommended)</li> | ||
22 | </ul> | ||
23 | |||
24 | <h2 class="mt-5"><b>Step 3:</b> Configuring a webfinger</h2> | ||
25 | You must support the webfinger-based <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect service discovery</a>. | ||
26 | Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#EmailSyntax">request to the authority part of the email address</a>. | ||
27 | |||
28 | The response should point reclaimID to the actual OpenID Connect service <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">serving the issuer medatata</a>. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted. | ||
29 | </div> | ||
30 | {% endblock body_content %} | ||