OIDC
The oidc block lets you configure the oauth2_authorization_url() function and an access
control for an OIDC Authorization Code Grant Flow redirect endpoint.
Like all access control types, the oidc block is defined in the definitions Block and can be referenced in all configuration blocks by its required label.
| Block name | Context | Label |
|---|---|---|
oidc | Definitions Block | โ required |
any
backendattributes: Do not disable the peer certificate validation withdisable_certificate_validation = true.
A nested jwt_signing_profile block is used to create a client assertion if token_endpoint_auth_method is either "client_secret_jwt" or "private_key_jwt".
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
backend | string | - | References a default backend in definitions for OpenID configuration, JWKS, token and userinfo requests. Mutually exclusive with |
client_id | string | - | The client identifier. |
client_secret | string | - | The client password. Required unless |
configuration_backend | string | - | References a backend in definitions for OpenID configuration requests. |
configuration_max_stale | duration | "1h" | Duration a cached OpenID configuration stays valid after its TTL has passed. |
configuration_ttl | duration | "1h" | The duration to cache the OpenID configuration located at |
configuration_url | string | - | The OpenID configuration URL. |
custom_log_fields | object | - | Log fields for custom logging. Inherited by nested blocks. |
jwks_max_stale | duration | "1h" | Time period the cached JWK set stays valid after its TTL has passed. |
jwks_ttl | duration | "1h" | Time period the JWK set stays valid and may be cached. |
jwks_uri_backend | string | - | References a backend in definitions for JWKS requests. |
redirect_uri | string | - | The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the |
scope | string | - | A space separated list of requested scope values for the access token. |
token_backend | string | - | References a backend in definitions for token requests. |
token_endpoint_auth_method | string | "client_secret_basic" | Defines the method to authenticate the client at the token endpoint. If set to |
userinfo_backend | string | - | References a backend in definitions for userinfo requests. |
verifier_method | string | - | The method to verify the integrity of the authorization code flow. |
verifier_value | string | - | The value of the (unhashed) verifier. |
In most cases, referencing one backend (backend attribute) for all the backend requests sent by the OIDC client is enough.
You should only use configuration_backend, jwks_uri_backend, token_backend or userinfo_backend if you need to configure a specific behaviour for the respective request (e.g. timeouts).
If the OpenID server supports the code_challenge_method S256 the default value for verifier_methodis "ccm_s256", "nonce" otherwise.
The HTTP header field Accept: application/json is automatically added to the token request. This can be modified with request header modifiers in a backend block.
Duration
Example: timeout = "300s"
| Duration units | Description |
|---|---|
ns | nanoseconds |
us (or ยตs) | microseconds |
ms | milliseconds |
s | seconds |
m | minutes |
h | hours |
Nested Blocks
| Name | Description |
|---|---|
backend | Configures a default backend for OpenID configuration, JWKS, token and userinfo requests. Mutually exclusive with |
error_handler | Configures an error handler (zero or more). |
jwt_signing_profile | Configures a JWT signing profile to create a client assertion if |