oidc-agent
  • Introduction
  • Quickstart
  • Migrating to oidc-agent 5
  • Installation
    • Linux
    • MacOS
    • Windows
  • Configuration
    • oidc-agent Directory
    • General Configuration
    • Custom Request Parameter
    • Configuration of Providers
    • oidc-agent Integration
    • Agent Forwarding
  • Usage
    • oidc-agent
      • Starting oidc-agent
      • General Usage
      • Detailed Information About All Options
    • oidc-agent-service
    • oidc-keychain
      • General Usage
      • Detailed Information About All Options
    • oidc-gen
      • General Usage
      • Detailed Information About All Options
      • Integrate With Different Providers
        • B2Access
        • EGI
        • Elixir
        • Google
        • HBP
        • Helmholtz AAI
        • IAM (INDIGO/DEEP)
        • KIT
        • Any Other Provider
        • Known Issues
        • Client Configuration Values
    • oidc-add
      • General Usage
      • Detailed Information About All Options
    • oidc-token
      • General Usage
      • Detailed Information About All Options
    • oidc-tokensh
      • General Usage
      • Detailed Information About All Options
    • Other Applications Using oidc-agent
    • Tips
    • oidc-agent-server
  • Windows
    • Installation
  • MAC OS
    • State of Feature Support
    • Installation
  • Security
    • Privilege Separation & Architecture
    • Account Configuration Files
    • Credentials
    • Memory
    • Agent Locking
    • Communication
    • Encryption Passwords
    • Autounload (Lifetime)
    • User Confirmation
    • Tracing
    • seccomp
    • Final Note
  • API
    • liboidc-agent4
    • liboidcagent-go
    • liboidcagent-py
    • IPC-API
Powered by GitBook
On this page
  • Scope
  • Redirect Uri
  • Response Type
  • Grant Type
  1. Usage
  2. oidc-gen
  3. Integrate With Different Providers

Client Configuration Values

When registering a client manually you might have to provide quite a number of specific configuration values. And even when using dynamic client registration oidc-gen prompts you for some values. If you are not familiar with one of these values, please check this section.

When registering a client an OpenID Provider might be using default values for some of these configurations so you might not have to provide all of them.

Scope

OpenID Connect clients use scope values to specify what access privileges are being requested for access tokens. Required scopes for oidc-agent are: openid and offline_access. Additional scopes can be registered if needed. Most likely you also want to register at least the profile scope.

When using dynamic client registration the user will be prompted to enter scopes that will be registered with that client. The keyword max can be used to request all supported scopes.

Example Scope: openid profile offline_access

Redirect Uri

The Redirect Uri is used during the Authorization Code Flow. The Redirect Uri must be of the following scheme: http://localhost:<port> where <port> should be an available port. It is also possible to specify an additional path, e.g. http://localhost:8080/redirect, but this is not required. It is important that this port is not used when generating the account configuration with oidc-gen. Multiple Redirect Uris can be registered to have a backup port if the first one may be already in use. oidc-gen also supports a custom redirect scheme, that can be used to redirect directly to oidc-gen. In that case the redirect uri has to be of the form edu.kit.data.oidc-agent:/<path>.

We recommend registering the following redirect uris:

  • http://localhost:4242

  • http://localhost:8080

  • http://localhost:43985

  • edu.kit.data.oidc-agent:/redirect

Note: Only pass the edu.kit.data.oidc-agent:/redirect uri to oidc-gen, if you wish to directly redirect to oidc-gen without using a webserver started by oidc-agent.

Response Type

The following response types must be registered:

  • 'token' when using the Password Flow (see also

Grant Type

The following grant types must be registered:

  • 'refresh_token' if available

  • 'password' when using the Password Flow (see also

PreviousKnown IssuesNextoidc-add

Last updated 5 years ago

)

'code' when using the Authorization Code Flow (see also )

'authorization_code' when using the Authorization Code Flow (see also )

)

'urn:ietf:params:oauth:grant-type:device_code' when using the Device Flow (see also )

flow
flow
flow
flow
flow