example/oidcop_frontend.yaml

module: satosa_oidcop.idpy_oidcop.OidcOpFrontend
name: OIDC

config:
  domain: &domain localhost
  server_name: *domain
  base_url: &base_url <base_url>

  storage:
    class: "satosa_oidcop.core.storage.mongo.Mongodb"
    kwargs:
      url: mongodb://satosa-mongo:27017/oidcop
      connection_params:
        username: satosa
        password: thatpassword
        connectTimeoutMS: 5000
        socketTimeoutMS: 5000
        serverSelectionTimeoutMS: 5000
    db_name: oidcop
    collections:
      # type: collection name
      session: session
      client: client

  default_target_backend: spidSaml2
  salt_size: 8

  op:
    server_info:
      add_on:
        pkce:
          function: idpyoidc.server.oauth2.add_on.pkce.add_support
          kwargs:
            code_challenge_method: S256 S384 S512
            essential: false
      authentication:
        user:
          acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
          class: satosa_oidcop.core.user_authn.SatosaAuthnMethod
      authz:
        class: idpyoidc.server.authz.AuthzHandling
        kwargs:
          grant_config:
            expires_in: 43200
            usage_rules:
              access_token: {}
              authorization_code:
                max_usage: 1
                supports_minting:
                  - access_token
                  - refresh_token
                  - id_token
              refresh_token:
                supports_minting:
                  - access_token
                  - refresh_token
      capabilities:
        grant_types_supported:
          - authorization_code
          - urn:ietf:params:oauth:grant-type:jwt-bearer
          - refresh_token
        subject_types_supported:
          - public
          - pairwise
        scopes_supported:
          - openid
          - profile
          - offline_access
        claims_supported:
          - sub
          - given_name
          - birthdate
          - email
      endpoint:
        provider_info:
          class: idpyoidc.server.oidc.provider_config.ProviderConfiguration
          kwargs:
            client_authn_method: null
          path: .well-known/openid-configuration
        authorization:
          class: idpyoidc.server.oidc.authorization.Authorization
          kwargs:
            claims_parameter_supported: true
            client_authn_method: null
            request_object_encryption_alg_values_supported: &id001
              - RSA-OAEP
              - RSA-OAEP-256
            request_parameter_supported: true
            request_uri_parameter_supported: true
            response_modes_supported:
              - query
              - fragment
              - form_post
            response_types_supported:
              - code
          path: OIDC/authorization
        token:
          class: idpyoidc.server.oidc.token.Token
          kwargs:
            client_authn_method:
              - client_secret_post
              - client_secret_basic
              - client_secret_jwt
              - private_key_jwt
          path: OIDC/token
        userinfo:
          class: idpyoidc.server.oidc.userinfo.UserInfo
          kwargs:
            claim_types_supported:
              - normal
              - aggregated
              - distributed
            userinfo_encryption_alg_values_supported: *id001
            userinfo_signing_alg_values_supported: &id002
              - RS256
              - RS512
              - ES256
              - ES512
          path: OIDC/userinfo
        introspection:
          class: idpyoidc.server.oauth2.introspection.Introspection
          kwargs:
            client_authn_method:
              - client_secret_post
              - client_secret_basic
              - client_secret_jwt
              - private_key_jwt
            release:
              - username
          path: OIDC/introspection
        # uncomment this for dynamic client registration
        #registration:
        #class: idpyoidc.server.oidc.registration.Registration
        #kwargs:
        #client_authn_method: null
        #client_id_generator:
        #class: idpyoidc.server.oidc.registration.random_client_id
        #kwargs: {}
        #client_secret_expiration_time: 432000
        #path: OIDC/registration
        registration_read:
          class: idpyoidc.server.oidc.read_registration.RegistrationRead
          kwargs:
            client_authn_method:
              - bearer_header
          path: OIDC/registration_read
        # TODO - Logout in SATOSA haven't been implemented
        #end_session:
        #class: idpyoidc.server.oidc.session.Session
        #kwargs:
        #backchannel_logout_session_supported: true
        #backchannel_logout_supported: true
        #frontchannel_logout_session_supported: true
        #frontchannel_logout_supported: true
        #logout_verify_url: verify_logout
        #post_logout_uri_path: post_logout
        #signing_alg: ES256
        #path: OIDC/session
      httpc_params:
        verify: false
      issuer: *base_url
      keys:
        key_defs:
          - type: RSA
            use:
              - sig
          - crv: P-256
            type: EC
            use:
              - sig
        private_path: data/oidc_op/private/jwks.json
        public_path: data/static/jwks.json
        read_only: false
        uri_path: OIDC/jwks.json
      login_hint2acrs:
        class: idpyoidc.server.login_hint.LoginHint2Acrs
        kwargs:
          scheme_map:
            email:
              - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
      session_params:
        encrypter:
          class: cryptojwt.jwe.fernet.FernetEncrypter
          kwargs:
            password: CHANGE_ME__password_used_to_encrypt_access_token_sid_value
            salt: "CHANGE_ME salt involved in session sub hash"
            keys:
              key_defs:
                - type: OCT
                  use:
                    - enc
                  kid: password
                - type: OCT
                  use:
                    - enc
                  kid: salt
        sub_func:
          pairwise:
            class: idpyoidc.server.session.manager.PairWiseID
            kwargs:
              salt: CHANGE_ME_OR_LET_IT_BE_RANDOMIC
          public:
            class: idpyoidc.server.session.manager.PublicID
            kwargs:
              salt: CHANGE_ME_OR_LET_IT_BE_RANDOMIC
      template_dir: templates
      token_handler_args:
        code:
          kwargs:
            lifetime: 600
            crypt_conf:
              kwargs:
                password: CHANGE_ME__password_used_to_encrypt_authorization_code
                salt: "CHANGE_ME salt involved in authorization code hash"
                keys:
                  key_defs:
                    - type: OCT
                      use:
                        - enc
                      kid: password
                    - type: OCT
                      use:
                        - enc
                      kid: salt
        id_token:
          class: idpyoidc.server.token.id_token.IDToken
          kwargs:
            id_token_encryption_alg_values_supported: *id001
            id_token_encryption_enc_values_supported:
              - A128CBC-HS256
              - A192CBC-HS384
              - A256CBC-HS512
              - A128GCM
              - A192GCM
              - A256GCM
            id_token_signing_alg_values_supported: *id002
        #jwks_file: data/oidc_op/private/token_jwks.json
        # jwks_def:
        # private_path: data/oidc_op/private/token_jwks.json
        # read_only: False
        # key_defs:
        # - type: oct
        # bytes: 24
        # use:
        # - enc
        # kid: code
        # - type: oct
        # bytes: 24
        # use:
        # - enc
        # kid: token
        # - type: oct
        # bytes: 24
        # use:
        # - enc
        # kid: refresh
        refresh:
          kwargs:
            lifetime: 86400
            crypt_conf:
              kwargs:
                password: CHANGE_ME__password_used_to_encrypt_refresh_tokens
                salt: "CHANGE_ME salt involved in refresh token hash"
                keys:
                  key_defs:
                    - type: OCT
                      use:
                        - enc
                      kid: password
                    - type: OCT
                      use:
                        - enc
                      kid: salt
        token:
          class: idpyoidc.server.token.jwt_token.JWTToken
          kwargs:
            lifetime: 3600
      userinfo:
        class: satosa_oidcop.core.user_info.SatosaOidcUserInfo
        #kwargs:
        #whatever:
        #key: value
      # until SATOSA won't support logout the oidcop cookies are quite useless
      #cookie_handler:
      #class: idpyoidc.server.cookie_handler.CookieHandler
      #kwargs:
      #flags:
      #httponly: true
      #samesite: None
      #secure: true
      #keys:
      #key_defs:
      #- kid: enc
      #type: OCT
      #use:
      #- enc
      #- kid: sig
      #type: OCT
      #use:
      #- sig
      #private_path: data/oidc_op/private/cookie_jwks.json
      #read_only: false
      #name:
      #register: oidc_op_rp
      #session: oidc_op
      #session_management: sman