The core OpenID Connect protocol is implemented in the
This module is enabled by default.
The OpenID Connect module automatically enables the required OAuth modules for its operation.
Additional modules related to the OpenID protocol are set out in the table below.
|Module||Description||Enabled by default?|
|SimpleID\Protocols\Connect\ConnectClientRegistrationModule||Implements OpenID Connect dynamic client registration||No|
|SimpleID\Protocols\Connect\ConnectSessionModule||Implements OpenID Connect session management||No|
One of the objectives of the OpenID Connect protocol is to supply information about the user to
the requesting app or web site. Therefore the protocol is only useful if you store your user
information under the
userinfo object in the user file. For example, you can store your
name and e-mail address as follows:
name: "Jane Citizen"
In order for apps and web sites to discover your SimpleID installation, you will need to set up WebFinger. The SimpleID distribution includes a simple WebFinger server. See the WebFinger page for further information on how to set this up.
Alternatively, if you wish to run your own WebFinger server, you will need to point
http://openid.net/specs/connect/1.0/issuer for each user to your SimpleID server.
Clients can be registered with SimpleID manually or through the OpenID Connect Dynamic Registration protocol (if this is enabled).
Registering a client manually
To register a client manually, create a client file for the client using the instructions set out in Setting up clients.
The OpenID Connection configuration is specified under the
connect objects in the client file. At a minimum, at least one redirect URI must be specified in
example.client.yml in the identities directory for further details of the configuration options.
In addition to registering the client, the client itself needs to be configured to use SimpleID as the server.
OpenID Connect Dynamic Registration
Alternatively, if the client is supports the OpenID Connect Dynamic Registration and the
SimpleID\Protocols\Connect\ConnectClientRegistrationModule module is enabled, then the client can register itself as part of the discovery process.
In addition to registering the client with SimpleID, each client also needs to be configured to use SimpleID as the OpenID Connect endpoints. This configuration may occur automatically through OpenID Connect Discovery or you may need to configure the client manually.
OpenID Connect Discovery
If the client supports OpenID Connect Discovery, then it will be able to query the
/.well-known/openid-configuration endpoint to retrieve the relevant configuration.
Clients using WebFinger should support OpenID Connect Discovery. Alternatively, the client may allow you to specify the domain name or the OpenID Connect Discovery endpoint.
You need to make sure that the web server is correctly configured to point the
/.well-known/openid-configuration to SimpleID. See the installation instructions for further details.
To manually configure a client, specify the following endpoints, with the URL of the SimpleID installation prepended: