1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-11-14 04:02:41 +00:00

Add documentation for OIDC

Knut Ahlers 2019-04-22 18:55:43 -04:00
parent 2668ad3ce7
commit 0d440590ce

@ -100,6 +100,32 @@ acl:
- "@cn=mygroup,ou=groups,dc=example,dc=com"
```
## OpenID Connect (`oidc`)
This provider sends the user to the configured OpenID Connect provider for oAuth2 login and returns their identification afterwards as the user.
```yaml
providers:
oidc:
client_id: ""
client_secret: ""
redirect_url: "https://login.luzifer.io/login"
# Optional, defaults to "OpenID Connect"
issuer_name: ""
issuer_url: ""
# Optional, defaults to no limitations
require_domain: "example.com"
# Optional, defaults to "user-id"
user_id_method: "full-email"
```
The `redirect_url` **must** point back to the `/login` path of nginx-sso to complete the login process. With the `require_domain` parameter you can limit the users being allowed to sign in to users of a specific domain (useful for company internal portals with whitelisting for the company domain).
By default the user identifier will be the `subject`, which is defined by your OIDC provider. Also supported are the `user_id_method`s of `full-email` and `local-part` which both are derived from the users email address. For the user `knut@example.com` the `full-email` will set the username to `knut@example.com` while `local-part` will set it to `knut`.
After a new user signed up you can point them to the `/debug` route in your nginx-sso instance and let them send you the displayed username (user ID) for assigning to ACLs.
## Simple Auth (`simple`)
The simple auth provider consists of a static mapping between users and passwords and groups and users. This can be seen as the replacement of htpasswd files.