Versions Compared

Old Version 1

changes.mady.by.user Frode Beckmann Nilsen

Saved on

compared with

New Version Current

changes.mady.by.user Frode Beckmann Nilsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version London_OIDC

...

NameDescription
scopeList of scope values specifying what kind of resources (dataset) the OIDC Client requests access to. The value openid must always be included in the list. Note that scope values are case-sensitive.
response_type

Determines the message flow to be used, thus also governing the content and type of the response from the Authorize endpoint. The following combinations are supported:

client_id Unique ID (arbitrary string) for the OIDC Client in question. This is created as part of the provisioning process.
redirect_uriRedirect URI to which the Authorize response will be sent. This URI must exactly match one of the Redirect URI values for the OIDC Client pre-registered at the OpenID Provider
state Opaque value used to maintain state between the request and the callback.
response_mode

The response mode to be used for returning parameters from the Authorization Endpoint. The following values are supported:

  • query
  • fragment
  • form_post
nonce String value used to associate a ODIC Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token
ui_localesMay be used to set a language preference for GUI handling. The default GUI experience supports 'nb' (Norsk Bokmål) and 'en' (English). If ui_locales is not set, the first (if any) Accept-Language header of the request is used to dermine preferred locale. Otherwise 'nb' is used by default.
promptSupport for the standardized values none and login. The former can be used to check for an existing (still valid) authentication session with the OIDC provider. The latter can be used to force a re-authentication, possibly with a different login_hint and/or acr_values.
acr_values

Requests use of any IDP at a given Level of Assurance (Authentication Context Class Reference) or above. A selector dialogue is shown to the enduser if more than one IDP option meet the required minimum level. Note that this parameter has no effect if the login_hint parameter contains a reference to any particular IDP. Nor does it have any effect if the id_token_hint parameter is set. If none of these parameters are set a selector dialogue is shown contianing all available IDP options.

login_hint

This parameter may be used to specify the use of any particularly named IDP (Authentication Method Reference) along with any pre-configuration for the designated IDP. Note that this parameter has no effect f the id_token_hint parameter is set. If none of these parameter are set, the acr_values parameter determines IDP selection.

See further details on login_hint support for each of the supported IDPs. 

id_token_hintJWT value for an ID Token previously issued by the OIDC Provider used as a hint about the enduser's authenticated session with the OIDC provider. Note that this parameter has precedence before both acr_values and login_hint, but precedence after the prompt parameter. If the ID Token has expired, a new authentication is triggered for the IDP option that was used when the ID Token was issued. Otherwise the authentication is still granted valid and the OIDC Provider proceeds directly to consent handling.

...