OIDC
The oidc block lets you configure the oauth2_authorization_url() function and an access
control for an OIDC Authorization Code Grant Flow redirect endpoint.
Like all access control types, the oidc block is defined in the definitions Block and can be referenced in all configuration blocks by its required label.
| Block name | Context | Label |
|---|---|---|
oidc | Definitions Block | ⚠ required |
any
backendattributes: Do not disable the peer certificate validation withdisable_certificate_validation = true.
A nested jwt_signing_profile block is used to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt".
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
backend | string | - | References a default backend in definitions for OpenID configuration, JWKS, token and userinfo requests. Mutually exclusive with backend block. |
client_id | string | - | The client identifier. |
client_secret | string | - | The client password. Required unless token_endpoint_auth_method is "private_key_jwt". |
configuration_backend | string | - | References a backend in definitions for OpenID configuration requests. |
configuration_max_stale | duration | "1h" | Duration a cached OpenID configuration stays valid after its TTL has passed. |
configuration_ttl | duration | "1h" | The duration to cache the OpenID configuration located at configuration_url. |
configuration_url | string | - | The OpenID configuration URL. |
custom_log_fields | object | - | Log fields for custom logging. Inherited by nested blocks. |
jwks_max_stale | duration | "1h" | Time period the cached JWK set stays valid after its TTL has passed. |
jwks_ttl | duration | "1h" | Time period the JWK set stays valid and may be cached. |
jwks_uri_backend | string | - | References a backend in definitions for JWKS requests. |
redirect_uri | string | - | The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the accept_forwarded_url attribute if Couper is running behind a proxy. |
scope | string | - | A space separated list of requested scope values for the access token. |
token_backend | string | - | References a backend in definitions for token requests. |
token_endpoint_auth_method | string | "client_secret_basic" | Defines the method to authenticate the client at the token endpoint. If set to "client_secret_post", the client credentials are transported in the request body. If set to "client_secret_basic", the client credentials are transported via Basic Authentication. If set to "client_secret_jwt", the client is authenticated via a JWT signed with the client_secret. If set to "private_key_jwt", the client is authenticated via a JWT signed with its private key (see jwt_signing_profile block). |
userinfo_backend | string | - | References a backend in definitions for userinfo requests. |
verifier_method | string | - | The method to verify the integrity of the authorization code flow. |
verifier_value | string | - | The value of the (unhashed) verifier. |
In most cases, referencing one backend (backend attribute) for all the backend requests sent by the OIDC client is enough.
You should only use configuration_backend, jwks_uri_backend, token_backend or userinfo_backend if you need to configure a specific behaviour for the respective request (e.g. timeouts).
If the OpenID server supports the code_challenge_method S256 the default value for verifier_methodis "ccm_s256", "nonce" otherwise.
The HTTP header field Accept: application/json is automatically added to the token request. This can be modified with request header modifiers in a backend block.
Duration
Example: timeout = "300s"
| Duration units | Description |
|---|---|
ns | nanoseconds |
us (or µs) | microseconds |
ms | milliseconds |
s | seconds |
m | minutes |
h | hours |
Nested Blocks
| Name | Description |
|---|---|
backend | Configures a default backend for OpenID configuration, JWKS, token and userinfo requests. Mutually exclusive with backend attribute. |
error_handler | Configures an error handler (zero or more). |
jwt_signing_profile | Configures a JWT signing profile to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt". |