@@ -266,11 +266,57 @@ RP configuration
266266As you may have guessed by now a lot of the work you have to do to use this
267267packages lies in the RP configuration.
268268
269- The configuration parameters fall into 2 groups, one about the RP/client and
270- the other about the OP/AS
269+ The configuration parameters fall into 2 groups, one general that is the
270+ same for all RP/clients and one which is specific for a specific
271+ OP/AS
271272
272- RP configuration parameters
273- ---------------------------
273+ General RP configuration parameters
274+ -----------------------------------
275+
276+ Among the general parameters you have to define:
277+
278+ port
279+ Which port the RP is listening on
280+
281+ domain
282+ The domain the RP belongs to
283+
284+ these 2 together then defines the base_url. which is normally defined as::
285+
286+ base_url: "https://{domain}:{port}"
287+
288+
289+ logging
290+ How the process should log
291+
292+ http_params
293+ Defines how the process performs HTTP requests to other entities.
294+ Parameters here are typically **verify ** which controls whether the http
295+ client will verify the server TLS certificate or not.
296+ Other parameters are **client_cert **/**client_key ** which are needed only
297+ if you expect the TLS server to ask for the clients TLS certificate.
298+ Something that happens if you run in an environment where mutual TLS is
299+ expected.
300+
301+ rp_keys
302+ Definition of the private keys that all RPs are going to use in the OIDC
303+ protocol exchange.
304+
305+ jwks_uri
306+ Where the OP/AS can find the RPs public keys
307+
308+ There might be other parameters that you need dependent on which web framework
309+ you chose to use.
310+
311+ OP/AS specific configuration parameters
312+ ---------------------------------------
313+
314+ The client configuration is keyed to an OP/AS name. This name should
315+ be something human readable it does not have to in anyway be linked to the
316+ issuer ID of the OP/AS.
317+
318+ The key **"" ** (the empty string) is chosen to represent all OP/ASs that
319+ are dynamically discovered.
274320
275321Disregarding if doing everything dynamically or statically you **MUST **
276322define which services the RP/Client should be able to use.
@@ -291,30 +337,11 @@ redirect_uris
291337 A set of URLs from which the RP can chose one to be added to the
292338 authorization request. The expectation is that the OP/AS will redirect
293339 the use back to this URL after the authorization/authentication has
294- completed.
295-
296- behavior
297- Information about how the RP should behave towards the OP/AS
298-
299- keys
300- If the OP doesn't support dynamic provider discovery it may still want to
301- have a way of distributing keys that allows it to rotate them at anytime.
302- To accomplish this some providers have choosen to publish a URL to where
303- you can find their OPs key material in the form of a JWKS.
304-
305- Usage example::
306-
307- 'keys': {'url': {<issuer_id> : <jwks_url>}}
308-
309-
310- If the provider info discovery is done dynamically you need this
340+ completed. These URLs should be OP/AS specific.
311341
312342client_preferences
313343 How the RP should prefer to behave against the OP/AS
314344
315- OP configuration parameters
316- ---------------------------
317-
318345issuer
319346 The Issuer ID of the OP.
320347
0 commit comments