diff options
Diffstat (limited to 'doc/disfluid.texi')
| -rw-r--r-- | doc/disfluid.texi | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/doc/disfluid.texi b/doc/disfluid.texi index 16cb1e3..d85afd8 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -1550,6 +1550,7 @@ the user. * Hello world:: * Reverse proxy:: * Client pages:: +* Identity provider:: @end menu @node Error signalling @@ -1741,6 +1742,109 @@ This endpoint receives an authorization code, and display it to the user, asking to paste it in the application. @end deftp +@node Identity provider +@section Identity provider +The @emph{(webid-oidc server endpoint identity-provider)} module +defines endpoints that are required for an identity provider. + +@deftp {Class} <oidc-discovery> (<endpoint>) @var{configuration} +Serve the OIDC @var{configuration}. + +You can construct it with @code{#:@var{configuration}}. +@end deftp + +@deffn {Generic} configuration @var{endpoint} +Return the OIDC configuration served by @var{endpoint}. +@end deffn + +@deftp {Class} <authorization-endpoint> (<endpoint>) @var{subject} @var{encrypted-password} @var{key-file} +The authorization endpoint prompts the user for a password, and then +grants an authorization code. It is defined for one particular user, +whose webid is @var{subject}, and who knows the password. The +authorization endpoint signs authorization codes with the key under +@var{key-file}. If this file does not exist, a new key will be +generated. + +The constructor expects keyword arguments @code{#:@var{subject}}, +@code{#:@var{encrypted-password}} and @code{#:@var{key-file}}. +@end deftp + +@deffn {Generic} subject @var{authorization-endpoint} +Return the webid of the user authorized by +@var{authorization-endpoint}. +@end deffn + +@deffn {Generic} encrypted-password @var{authorization-endpoint} +Return the encrypted password used to authentify the user at +@var{authorization-endpoint}. +@end deffn + +@deffn {Generic} key-file @var{authorization-endpoint} +Return the file name where the key to sign authorization codes in +@var{authorization-endpoint} is stored. +@end deffn + +@deftp {Class} <token-endpoint> (<endpoint>) @var{issuer} @var{key-file} +The token endpoint exchanges authorization codes or refresh tokens for +new access tokens. The access token is signed with the key loaded from +@var{key-file}, and the access token is bound to the @var{issuer} URI +(host name). + +You can construct a token endpoint with the @code{#:@var{issuer}} and +@code{#:@var{key-file}} keyword arguments. +@end deftp + +@deffn {Generic} issuer @var{token-endpoint} +Return the issuer (URI with no path) that this @var{token-endpoint} +operates for. +@end deffn + +@deffn {Generic} key-file @var{token-endpoint} +Return the file name where the key to sign access tokens in +@var{token-endpoint} is stored. +@end deffn + +@deftp {Class} <jwks-endpoint> (<endpoint>) @var{key-file} +The JWKS endpoint returns the list of valid public keys used by the +identity provider. For now, only the public part of the key under +@var{key-file} is served. + +You can construct one with the @code{#:@var{key-file}} header +argument. +@end deftp + +@deftp {Class} <identity-provider> (<router>) @var{oidc-discovery} @var{authorization-endpoint} @var{token-endpoint} @var{jwks-endpoint} @var{default} +An identity provider is the sum of an @var{OIDC discovery} endpoint, +an @var{authorization-endpoint}, an @var{token-endpoint} and an +@var{jwks-endpoint}, and a @var{default} endpoint that gets all the +requests that aren’t handled by the identity provider. + +You can construct one with the following keyword arguments: +@code{#:@var{authorization-endpoint}}, @code{#:@var{token-endpoint}}, +@code{#:@var{jwks-endpoint}} and @code{#:@var{default}}. +@end deftp + +@deffn {Generic} oidc-discovery @var{identity-provider} +Return the OIDC discovery endpoint of the @var{identity-provider}. +@end deffn + +@deffn {Generic} authorization-endpoint @var{identity-provider} +Return the authorization endpoint of the @var{identity-provider}. +@end deffn + +@deffn {Generic} token-endpoint @var{identity-provider} +Return the token endpoint of the @var{identity-provider}. +@end deffn + +@deffn {Generic} jwks-endpoint @var{identity-provider} +Return the JWKS endpoint of the @var{identity-provider}. +@end deffn + +@deffn {Generic} default @var{identity-provider} +Return the endpoint where all requests that aren’t handled by any +element of the @var{identity-provider} go. +@end deffn + @node Running an Identity Provider @chapter Running an Identity Provider |