diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md index 6d9e5e2..d87e662 100644 --- a/Enabling-SSO-support-using-OpenId-Connect.md +++ b/Enabling-SSO-support-using-OpenId-Connect.md @@ -18,7 +18,7 @@ The following configurations are available - The URL must not include the `/.well-known/openid-configuration` - `${SSO_AUTHORITY}/.well-known/openid-configuration` must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an [HTTP status code 200 OK](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse:~:text=A%20successful%20response%20MUST%20use%20the%20200%20OK%20HTTP%20status%20code)!) - `SSO_AUTHORITY` has to match the exact value of the `issuer` field that is returned by that JSON (so take the `issuer` value of the file if you are unsure whether to include a trailing slash or not). -- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`) +- `SSO_SCOPES` : Optional, allow to override scopes if needed (default `email profile`) - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`) - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`). - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`. @@ -105,7 +105,7 @@ Or for a specific client in `Clients / Client details / Advanced / Advanced sett Server configuration: - `SSO_AUTHORITY=https://${keycloak_domain}/realms/${realm_name}` -- `SSO_SCOPES="email profile offline_access"` +- `SSO_SCOPES=email profile offline_access` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` @@ -129,7 +129,7 @@ To obtain a `refresh_token` to be able to extend session you'll need to add the Config will look like: -- `SSO_SCOPES="email profile offline_access"` +- `SSO_SCOPES=email profile offline_access` ## Authentik @@ -143,7 +143,7 @@ Starting with `2024.2` version you will need to add the `offline_access` scope a Server configuration should look like: - `SSO_AUTHORITY=https://${authentik_domain}/application/o/${application_name}/` : trailing `/` is important -- `SSO_SCOPES="email profile offline_access"` +- `SSO_SCOPES=email profile offline_access` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` @@ -280,7 +280,7 @@ But older versions might have to disable it (`SSO_PKCE=false`). Config will look like: - `SSO_AUTHORITY=https://${provider_host}` -- `SSO_SCOPES="email profile offline_access"` +- `SSO_SCOPES=email profile offline_access` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` - `SSO_AUDIENCE_TRUSTED='^${Project Id}$'`