mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-11-14 04:02:41 +00:00
Add documentation for OIDC
parent
2668ad3ce7
commit
0d440590ce
1 changed files with 26 additions and 0 deletions
|
@ -100,6 +100,32 @@ acl:
|
|||
- "@cn=mygroup,ou=groups,dc=example,dc=com"
|
||||
```
|
||||
|
||||
## OpenID Connect (`oidc`)
|
||||
|
||||
This provider sends the user to the configured OpenID Connect provider for oAuth2 login and returns their identification afterwards as the user.
|
||||
|
||||
```yaml
|
||||
providers:
|
||||
oidc:
|
||||
client_id: ""
|
||||
client_secret: ""
|
||||
redirect_url: "https://login.luzifer.io/login"
|
||||
# Optional, defaults to "OpenID Connect"
|
||||
issuer_name: ""
|
||||
issuer_url: ""
|
||||
|
||||
# Optional, defaults to no limitations
|
||||
require_domain: "example.com"
|
||||
# Optional, defaults to "user-id"
|
||||
user_id_method: "full-email"
|
||||
```
|
||||
|
||||
The `redirect_url` **must** point back to the `/login` path of nginx-sso to complete the login process. With the `require_domain` parameter you can limit the users being allowed to sign in to users of a specific domain (useful for company internal portals with whitelisting for the company domain).
|
||||
|
||||
By default the user identifier will be the `subject`, which is defined by your OIDC provider. Also supported are the `user_id_method`s of `full-email` and `local-part` which both are derived from the users email address. For the user `knut@example.com` the `full-email` will set the username to `knut@example.com` while `local-part` will set it to `knut`.
|
||||
|
||||
After a new user signed up you can point them to the `/debug` route in your nginx-sso instance and let them send you the displayed username (user ID) for assigning to ACLs.
|
||||
|
||||
## Simple Auth (`simple`)
|
||||
|
||||
The simple auth provider consists of a static mapping between users and passwords and groups and users. This can be seen as the replacement of htpasswd files.
|
||||
|
|
Loading…
Reference in a new issue