|
Iddawc
Handle the flow of OAuth2 and OpenID Connect authentication process from the client side.
|
Macros | |
| #define | I_OK 0 |
| Success. More... | |
| #define | I_ERROR 1 |
| Error. More... | |
| #define | I_ERROR_PARAM 2 |
| Error in parameters. More... | |
| #define | I_ERROR_MEMORY 3 |
| Memory error. More... | |
| #define | I_ERROR_UNAUTHORIZED 4 |
| Request unauthorized. More... | |
| #define | I_ERROR_SERVER 5 |
| Server error. More... | |
| #define | I_RESPONSE_TYPE_NONE 0x00000000 |
| No response type. More... | |
| #define | I_RESPONSE_TYPE_CODE 0x00000001 |
| Response type code. More... | |
| #define | I_RESPONSE_TYPE_TOKEN 0x00000010 |
| Response type token. More... | |
| #define | I_RESPONSE_TYPE_ID_TOKEN 0x00000100 |
| Response type id_token. More... | |
| #define | I_RESPONSE_TYPE_PASSWORD 0x00001000 |
| Grant type password. More... | |
| #define | I_RESPONSE_TYPE_CLIENT_CREDENTIALS 0x00010000 |
| Grant type client_credentials. More... | |
| #define | I_RESPONSE_TYPE_REFRESH_TOKEN 0x00100000 |
| Grant type refresh_token. More... | |
| #define | I_RESPONSE_TYPE_DEVICE_CODE 0x01000000 |
| Grant type urn:ietf:params:oauth:grant-type:device_code. More... | |
| #define | I_RESPONSE_TYPE_CIBA 0x10000000 |
| Grant type urn:openid:params:grant-type:ciba. More... | |
| #define | I_AUTH_METHOD_GET 0x00000001 |
| auth endpoint using GET method More... | |
| #define | I_AUTH_METHOD_POST 0x00000010 |
| auth endpoint using POST method More... | |
| #define | I_AUTH_METHOD_JWT_SIGN_SECRET 0x00000100 |
| auth endpoint using a JWT signed with the client secret More... | |
| #define | I_AUTH_METHOD_JWT_SIGN_PRIVKEY 0x00001000 |
| auth endpoint using a JWT signed with the client private key More... | |
| #define | I_AUTH_METHOD_JWT_ENCRYPT_SECRET 0x00010000 |
| auth endpoint using a JWT encrypted with the client secret More... | |
| #define | I_AUTH_METHOD_JWT_ENCRYPT_PUBKEY 0x00100000 |
| auth endpoint using a JWT encrypted with the server public key More... | |
| #define | I_TOKEN_AUTH_METHOD_NONE 0x00000000 |
| token endpoint using no authentication More... | |
| #define | I_TOKEN_AUTH_METHOD_SECRET_BASIC 0x00000001 |
| token endpoint using HTTP basic auth with client_id and client password More... | |
| #define | I_TOKEN_AUTH_METHOD_SECRET_POST 0x00000010 |
| token endpoint using secret send in POST parameters More... | |
| #define | I_TOKEN_AUTH_METHOD_TLS_CERTIFICATE 0x00000100 |
| token endpoint using TLS Certificate authentication More... | |
| #define | I_TOKEN_AUTH_METHOD_JWT_SIGN_SECRET 0x00001000 |
| token endpoint using a JWT signed with the client secret More... | |
| #define | I_TOKEN_AUTH_METHOD_JWT_SIGN_PRIVKEY 0x00010000 |
| token endpoint using a JWT signed with the client private key More... | |
| #define | I_TOKEN_AUTH_METHOD_JWT_ENCRYPT_SECRET 0x00100000 |
| token endpoint using a JWT encrypted with the client secret More... | |
| #define | I_TOKEN_AUTH_METHOD_JWT_ENCRYPT_PUBKEY 0x01000000 |
| token endpoint using a JWT signed with the client private key and encrypted with the server public key or the client secret More... | |
| #define | I_STRICT_NO 0x00000000 |
| Do not stricly conform to openid config result. More... | |
| #define | I_STRICT_YES 0x00000001 |
| Stricly conform to openid config result. More... | |
| #define | I_STRICT_JWT_AT_SIGNATURE 0x00000010 |
| Verify JWT access tokens signatures. More... | |
| #define | I_STRICT_JWT_AT_HEADER_TYP 0x00000100 |
| Verify JWT access tokens header typ value. More... | |
| #define | I_STRICT_JWT_AT_CLAIM 0x00001000 |
| Verify JWT access tokens claims values. More... | |
| #define | I_AUTH_SIGN_ALG_MAX_LENGTH 8 |
| Max length of a sign algorithm name. More... | |
| #define | I_BEARER_TYPE_HEADER 0 |
| Bearer type header, the token will be available in the header. More... | |
| #define | I_BEARER_TYPE_BODY 1 |
| Bearer type body, the token will be available as a body url-encoded parameter. More... | |
| #define | I_BEARER_TYPE_URL 2 |
| Bearer type url, the token will be available as a url query parameter. More... | |
| #define | I_INTROSPECT_REVOKE_AUTH_NONE 0 |
| Introspection/Revocation - no authentication. More... | |
| #define | I_INTROSPECT_REVOKE_AUTH_ACCESS_TOKEN 1 |
| Introspection/Revocation - authentication using access token. More... | |
| #define | I_INTROSPECT_REVOKE_AUTH_CLIENT_TARGET 2 |
| Introspection/Revocation - authentication with client credentials. More... | |
| #define | I_TOKEN_TYPE_ACCESS_TOKEN 0 |
| #define | I_TOKEN_TYPE_ID_TOKEN 1 |
| #define | I_TOKEN_TYPE_USERINFO 2 |
| #define | I_TOKEN_TYPE_INTROSPECTION 3 |
| #define | I_TOKEN_TYPE_RESPONSE_AUTH 4 |
| #define | I_HEADER_PREFIX_BEARER "Bearer " |
| #define | I_HEADER_PREFIX_DPOP "DPoP " |
| #define | I_HEADER_AUTHORIZATION "Authorization" |
| #define | I_CONTENT_TYPE_JWKS "application/jwk-set+json" |
| #define | I_BODY_URL_PARAMETER "access_token" |
| #define | I_HEADER_DPOP "DPoP" |
| #define | I_REMOTE_VERIFY_NONE 0x0000 |
| No TLS Verification. More... | |
| #define | I_REMOTE_HOST_VERIFY_PEER 0x0001 |
| Verify TLS session with peers. More... | |
| #define | I_REMOTE_HOST_VERIFY_HOSTNAME 0x0010 |
| Verify TLS session with hostname. More... | |
| #define | I_REMOTE_PROXY_VERIFY_PEER 0x0100 |
| Verify TLS session with peers. More... | |
| #define | I_REMOTE_PROXY_VERIFY_HOSTNAME 0x1000 |
| Verify TLS session with hostname. More... | |
| #define | I_PKCE_NONE 0 |
| No PKCE. More... | |
| #define | I_PKCE_METHOD_PLAIN 1 |
| PKCE using method plain. More... | |
| #define | I_PKCE_METHOD_S256 2 |
| PKCE using method SHA256. More... | |
| #define | I_CLAIM_TARGET_ALL 0 |
| Add claim to userinfo and id_token. More... | |
| #define | I_CLAIM_TARGET_USERINFO 1 |
| Add claim to userinfo. More... | |
| #define | I_CLAIM_TARGET_ID_TOKEN 2 |
| Add claim to id_token. More... | |
| #define | I_CLAIM_ESSENTIAL_NULL 0 |
| Set claim value to null. More... | |
| #define | I_CLAIM_ESSENTIAL_TRUE 1 |
| Set claim essential value to true. More... | |
| #define | I_CLAIM_ESSENTIAL_FALSE 2 |
| Set claim essential value to false. More... | |
| #define | I_CLAIM_ESSENTIAL_IGNORE 3 |
| #define | I_CIBA_MODE_NONE 0 |
| #define | I_CIBA_MODE_POLL 1 |
| #define | I_CIBA_MODE_PING 2 |
| #define | I_CIBA_MODE_PUSH 3 |
| #define | I_CIBA_LOGIN_HINT_FORMAT_JSON 0 |
| #define | I_CIBA_LOGIN_HINT_FORMAT_JWT 1 |
| #define | I_CIBA_LOGIN_HINT_FORMAT_ID_TOKEN 2 |
Iddawc OAuth2 client library
iddawc.h: structures and functions declarations
Copyright 2019-2022 Nicolas Mora mail@babelouest.org
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; version 2.1 of the License.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU GENERAL PUBLIC LICENSE for more details.
You should have received a copy of the GNU General Public License along with this library. If not, see http://www.gnu.org/licenses/.
Constant values used as input or output
| #define I_AUTH_METHOD_GET 0x00000001 |
auth endpoint using GET method
| #define I_AUTH_METHOD_JWT_ENCRYPT_PUBKEY 0x00100000 |
auth endpoint using a JWT encrypted with the server public key
| #define I_AUTH_METHOD_JWT_ENCRYPT_SECRET 0x00010000 |
auth endpoint using a JWT encrypted with the client secret
| #define I_AUTH_METHOD_JWT_SIGN_PRIVKEY 0x00001000 |
auth endpoint using a JWT signed with the client private key
| #define I_AUTH_METHOD_JWT_SIGN_SECRET 0x00000100 |
auth endpoint using a JWT signed with the client secret
| #define I_AUTH_METHOD_POST 0x00000010 |
auth endpoint using POST method
| #define I_AUTH_SIGN_ALG_MAX_LENGTH 8 |
Max length of a sign algorithm name.
| #define I_BEARER_TYPE_BODY 1 |
Bearer type body, the token will be available as a body url-encoded parameter.
| #define I_BEARER_TYPE_HEADER 0 |
Bearer type header, the token will be available in the header.
| #define I_BEARER_TYPE_URL 2 |
Bearer type url, the token will be available as a url query parameter.
| #define I_BODY_URL_PARAMETER "access_token" |
| #define I_CIBA_LOGIN_HINT_FORMAT_ID_TOKEN 2 |
| #define I_CIBA_LOGIN_HINT_FORMAT_JSON 0 |
| #define I_CIBA_LOGIN_HINT_FORMAT_JWT 1 |
| #define I_CIBA_MODE_NONE 0 |
| #define I_CIBA_MODE_PING 2 |
| #define I_CIBA_MODE_POLL 1 |
| #define I_CIBA_MODE_PUSH 3 |
| #define I_CLAIM_ESSENTIAL_FALSE 2 |
Set claim essential value to false.
| #define I_CLAIM_ESSENTIAL_IGNORE 3 |
| #define I_CLAIM_ESSENTIAL_NULL 0 |
Set claim value to null.
| #define I_CLAIM_ESSENTIAL_TRUE 1 |
Set claim essential value to true.
| #define I_CLAIM_TARGET_ALL 0 |
Add claim to userinfo and id_token.
| #define I_CLAIM_TARGET_ID_TOKEN 2 |
Add claim to id_token.
| #define I_CLAIM_TARGET_USERINFO 1 |
Add claim to userinfo.
| #define I_CONTENT_TYPE_JWKS "application/jwk-set+json" |
| #define I_ERROR 1 |
Error.
| #define I_ERROR_MEMORY 3 |
Memory error.
| #define I_ERROR_PARAM 2 |
Error in parameters.
| #define I_ERROR_SERVER 5 |
Server error.
| #define I_ERROR_UNAUTHORIZED 4 |
Request unauthorized.
| #define I_HEADER_AUTHORIZATION "Authorization" |
| #define I_HEADER_DPOP "DPoP" |
| #define I_HEADER_PREFIX_BEARER "Bearer " |
| #define I_HEADER_PREFIX_DPOP "DPoP " |
| #define I_INTROSPECT_REVOKE_AUTH_ACCESS_TOKEN 1 |
Introspection/Revocation - authentication using access token.
| #define I_INTROSPECT_REVOKE_AUTH_CLIENT_TARGET 2 |
Introspection/Revocation - authentication with client credentials.
| #define I_INTROSPECT_REVOKE_AUTH_NONE 0 |
Introspection/Revocation - no authentication.
| #define I_OK 0 |
Success.
| #define I_PKCE_METHOD_PLAIN 1 |
PKCE using method plain.
| #define I_PKCE_METHOD_S256 2 |
PKCE using method SHA256.
| #define I_PKCE_NONE 0 |
No PKCE.
| #define I_REMOTE_HOST_VERIFY_HOSTNAME 0x0010 |
Verify TLS session with hostname.
| #define I_REMOTE_HOST_VERIFY_PEER 0x0001 |
Verify TLS session with peers.
| #define I_REMOTE_PROXY_VERIFY_HOSTNAME 0x1000 |
Verify TLS session with hostname.
| #define I_REMOTE_PROXY_VERIFY_PEER 0x0100 |
Verify TLS session with peers.
| #define I_REMOTE_VERIFY_NONE 0x0000 |
No TLS Verification.
| #define I_RESPONSE_TYPE_CIBA 0x10000000 |
Grant type urn:openid:params:grant-type:ciba.
| #define I_RESPONSE_TYPE_CLIENT_CREDENTIALS 0x00010000 |
Grant type client_credentials.
| #define I_RESPONSE_TYPE_CODE 0x00000001 |
Response type code.
| #define I_RESPONSE_TYPE_DEVICE_CODE 0x01000000 |
Grant type urn:ietf:params:oauth:grant-type:device_code.
| #define I_RESPONSE_TYPE_ID_TOKEN 0x00000100 |
Response type id_token.
| #define I_RESPONSE_TYPE_NONE 0x00000000 |
No response type.
| #define I_RESPONSE_TYPE_PASSWORD 0x00001000 |
Grant type password.
| #define I_RESPONSE_TYPE_REFRESH_TOKEN 0x00100000 |
Grant type refresh_token.
| #define I_RESPONSE_TYPE_TOKEN 0x00000010 |
Response type token.
| #define I_STRICT_JWT_AT_CLAIM 0x00001000 |
Verify JWT access tokens claims values.
| #define I_STRICT_JWT_AT_HEADER_TYP 0x00000100 |
Verify JWT access tokens header typ value.
| #define I_STRICT_JWT_AT_SIGNATURE 0x00000010 |
Verify JWT access tokens signatures.
| #define I_STRICT_NO 0x00000000 |
Do not stricly conform to openid config result.
| #define I_STRICT_YES 0x00000001 |
Stricly conform to openid config result.
| #define I_TOKEN_AUTH_METHOD_JWT_ENCRYPT_PUBKEY 0x01000000 |
token endpoint using a JWT signed with the client private key and encrypted with the server public key or the client secret
| #define I_TOKEN_AUTH_METHOD_JWT_ENCRYPT_SECRET 0x00100000 |
token endpoint using a JWT encrypted with the client secret
| #define I_TOKEN_AUTH_METHOD_JWT_SIGN_PRIVKEY 0x00010000 |
token endpoint using a JWT signed with the client private key
| #define I_TOKEN_AUTH_METHOD_JWT_SIGN_SECRET 0x00001000 |
token endpoint using a JWT signed with the client secret
| #define I_TOKEN_AUTH_METHOD_NONE 0x00000000 |
token endpoint using no authentication
| #define I_TOKEN_AUTH_METHOD_SECRET_BASIC 0x00000001 |
token endpoint using HTTP basic auth with client_id and client password
| #define I_TOKEN_AUTH_METHOD_SECRET_POST 0x00000010 |
token endpoint using secret send in POST parameters
| #define I_TOKEN_AUTH_METHOD_TLS_CERTIFICATE 0x00000100 |
token endpoint using TLS Certificate authentication
| #define I_TOKEN_TYPE_ACCESS_TOKEN 0 |
| #define I_TOKEN_TYPE_ID_TOKEN 1 |
| #define I_TOKEN_TYPE_INTROSPECTION 3 |
| #define I_TOKEN_TYPE_RESPONSE_AUTH 4 |
| #define I_TOKEN_TYPE_USERINFO 2 |
| enum i_option |
Options available to set or get properties using i_set_int_parameter, i_set_str_parameter, i_get_int_parameter, i_get_str_parameter or i_set_parameter_list
| Enumerator | |
|---|---|
| I_OPT_NONE | Empty option to complete a i_set_parameter_list. |
| I_OPT_RESPONSE_TYPE | response_type, values available are I_RESPONSE_TYPE_CODE, I_RESPONSE_TYPE_TOKEN, I_RESPONSE_TYPE_ID_TOKEN, I_RESPONSE_TYPE_PASSWORD, I_RESPONSE_TYPE_CLIENT_CREDENTIALS and I_RESPONSE_TYPE_REFRESH_TOKEN |
| I_OPT_SCOPE | scope values, string, multiple scopes must be separated by a space character: "scope1 openid" |
| I_OPT_SCOPE_APPEND | append another scope value to the scope list, string |
| I_OPT_STATE | state value, string |
| I_OPT_NONCE | nonce value, string |
| I_OPT_REDIRECT_URI | redirect_uri, string |
| I_OPT_REDIRECT_TO | url where the oauth2 is redirected to after a /auth request |
| I_OPT_CLIENT_ID | client_id, string |
| I_OPT_CLIENT_SECRET | client secret, string |
| I_OPT_ADDITIONAL_PARAMETER | use this option to pass any additional parameter value in the /auth request |
| I_OPT_ADDITIONAL_RESPONSE | |
| I_OPT_AUTH_ENDPOINT | absolute url for the auth endpoint, string |
| I_OPT_TOKEN_ENDPOINT | absolute url for the token endpoint, string |
| I_OPT_OPENID_CONFIG_ENDPOINT | absolute url for the .well-known/openid-configuration endpoint, string |
| I_OPT_OPENID_CONFIG | result of the .well-known/openid-configuration |
| I_OPT_OPENID_CONFIG_STRICT | must the .well-known/openid-configuration parameters be strictly verified? After i_init_session(), the value is I_STRICT_NO|I_STRICT_JWT_AT_SIGNATURE|I_STRICT_JWT_AT_HEADER_TYP|I_STRICT_JWT_AT_CLAIM, if the function i_get_openid_config() is used, then the flag I_STRICT_NO will be replaced by I_STRICT_YES, the others will remain |
| I_OPT_USERINFO_ENDPOINT | absolute url for the userinfo endpoint or equivalent, string |
| I_OPT_RESULT | result of a request |
| I_OPT_ERROR | error value of a failed request, string |
| I_OPT_ERROR_DESCRIPTION | error description of a failed request, string |
| I_OPT_ERROR_URI | error uri of a failed request, string |
| I_OPT_CODE | code given after a succesfull auth request using the response_type I_RESPONSE_TYPE_CODE |
| I_OPT_REFRESH_TOKEN | refresh token given after a succesfull token request using the proper response_type |
| I_OPT_ACCESS_TOKEN | access token given after a succesfull auth or token request using the proper response_type |
| I_OPT_ID_TOKEN | id_token given after a succesfull auth or token request using the proper response_type |
| I_OPT_AUTH_METHOD | Authentication method to use with the auth endpoint, values available are I_AUTH_METHOD_GET, I_AUTH_METHOD_POST, I_AUTH_METHOD_JWT_SIGN_SECRET, I_AUTH_METHOD_JWT_SIGN_PRIVKEY, I_AUTH_METHOD_JWT_ENCRYPT_SECRET or I_AUTH_METHOD_JWT_ENCRYPT_PUBKEY, values I_AUTH_METHOD_JWT_SIGN_SECRET, I_AUTH_METHOD_JWT_SIGN_PRIVKEY, I_AUTH_METHOD_JWT_ENCRYPT_SECRET or I_AUTH_METHOD_JWT_ENCRYPT_PUBKEY can be combined with I_AUTH_METHOD_GET or I_AUTH_METHOD_POST. |
| I_OPT_TOKEN_METHOD | Authentication method to use with the token endpoint, values available are I_TOKEN_AUTH_METHOD_SECRET_BASIC, I_TOKEN_AUTH_METHOD_SECRET_POST, I_TOKEN_AUTH_METHOD_SECRET_JWT, I_TOKEN_AUTH_METHOD_PRIVATE_JWT, I_TOKEN_AUTH_METHOD_NONE. |
| I_OPT_TOKEN_TYPE | token_type value after a succesfull auth or token request, string |
| I_OPT_EXPIRES_IN | expires_in value after a succesfull auth or token request, integer |
| I_OPT_EXPIRES_AT | expires_at value after a succesfull auth or token request, time_t |
| I_OPT_USERNAME | username for password response_types, string |
| I_OPT_USER_PASSWORD | password for password response_types, string |
| I_OPT_ISSUER | issuer value, string |
| I_OPT_USERINFO | userinfo result, string |
| I_OPT_NONCE_GENERATE | Generate a random nonce value. |
| I_OPT_STATE_GENERATE | Generate a random state value. |
| I_OPT_X5U_FLAGS | x5u flage to apply when JWK used have a x5u property, values available are R_FLAG_IGNORE_SERVER_CERTIFICATE: ignrore if web server certificate is invalid, R_FLAG_FOLLOW_REDIRECT: follow redirections if necessary, R_FLAG_IGNORE_REMOTE: do not download remote key |
| I_OPT_SERVER_KID | key id to use if multiple jwk are available on the server, string |
| I_OPT_SERVER_ENC_ALG | Key management algorithm to use when sending encrypted messages to the AS. |
| I_OPT_SERVER_ENC | Encryption algorithm to use when sending encrypted messages to the AS. |
| I_OPT_SERVER_JWKS_CACHE_EXPIRATION | Cache expiration for the server JWKS. |
| I_OPT_CLIENT_KID | key id to use if multiple jwk are available on the client, string |
| I_OPT_CLIENT_SIGN_ALG | signature algorithm to use when the client signs a request in a JWT, values available are 'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512', 'EDDSA' |
| I_OPT_CLIENT_ENC_ALG | key encryption algorithm to use when the client encrypts a request in a JWT, values available are 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'DIR', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW or 'PBES2-HS512+A256KW', warning: some algorithm may be unavailable depending on Rhonabwy version used |
| I_OPT_CLIENT_ENC | data encryption algorithm to use when the client encrypts a request in a JWT, values available are 'A128CBC-HS256,' 'A192CBC-HS384,' 'A256CBC-HS512,' 'A128GCM,' 'A192GCM,' 'A256GCM,' warning: some algorithm may be unavailable depending on Rhonabwy version used |
| I_OPT_TOKEN_JTI | jti value, string |
| I_OPT_TOKEN_JTI_GENERATE | Generate a random jti value. |
| I_OPT_TOKEN_EXP | JWT token request expiration time in seconds. |
| I_OPT_TOKEN_TARGET | access_token which is the target of a revocation or an introspection, string |
| I_OPT_TOKEN_TARGET_TYPE_HINT | access_token which is the target of a revocation or an introspection, string |
| I_OPT_REVOCATION_ENDPOINT | absolute url for the revocation endpoint, string |
| I_OPT_INTROSPECTION_ENDPOINT | absolute url for the introspection endpoint, string |
| I_OPT_REGISTRATION_ENDPOINT | absolute url for the client registration endpoint, string |
| I_OPT_REGISTRATION_CLIENT_URI | absolute url for the client registration management endpoint, string |
| I_OPT_DEVICE_AUTHORIZATION_ENDPOINT | absolute url for the pushed authorization endpoint, string |
| I_OPT_DEVICE_AUTH_CODE | device authorization code sent by the AS |
| I_OPT_DEVICE_AUTH_USER_CODE | device authorization user code sent by the AS |
| I_OPT_DEVICE_AUTH_VERIFICATION_URI | device authorization verification URI sent by the AS |
| I_OPT_DEVICE_AUTH_VERIFICATION_URI_COMPLETE | device authorization verification URI complete sent by the AS |
| I_OPT_DEVICE_AUTH_EXPIRES_IN | device authorization code expiration sent by the AS |
| I_OPT_DEVICE_AUTH_INTERVAL | device authorization code verification interval sent by the AS |
| I_OPT_END_SESSION_ENDPOINT | absolute url for the end session endpoint, string |
| I_OPT_CHECK_SESSION_IRAME | absolute url for the check session iframe, string |
| I_OPT_PUSHED_AUTH_REQ_ENDPOINT | absolute url for the pushed authoization endpoint, string |
| I_OPT_PUSHED_AUTH_REQ_REQUIRED | are pushed authorization requests required, boolean |
| I_OPT_PUSHED_AUTH_REQ_EXPIRES_IN | pushed authorization request expiration time in seconds |
| I_OPT_PUSHED_AUTH_REQ_URI | request_uri sent by the par endpoint result, string |
| I_OPT_USE_DPOP | Generate and use a DPoP when accessing endpoints userinfo, introspection and revocation. |
| I_OPT_DPOP_KID | key id to use when signing a DPoP |
| I_OPT_DECRYPT_CODE | Decrypt code when received by the AS as a JWE. |
| I_OPT_DECRYPT_REFRESH_TOKEN | Decrypt refresh token when received by the AS as a JWE. |
| I_OPT_DECRYPT_ACCESS_TOKEN | Decrypt access token when received by the AS as a JWE. |
| I_OPT_DPOP_SIGN_ALG | signature algorithm to use when the client signs a DPoP, values available are 'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512', 'EDDSA' |
| I_OPT_HTTP_PROXY | HTTP proxy address to use for outgoing connections. |
| I_OPT_TLS_KEY_FILE | Path to the private key PEM file to use in a TLS authentication. |
| I_OPT_TLS_CERT_FILE | Path to the certificate PEM file to use in a TLS authentication. |
| I_OPT_REMOTE_CERT_FLAG | Flags to use with remote connexions to ignore incorrect certificates, flags available are I_REMOTE_HOST_VERIFY_PEER, I_REMOTE_HOST_VERIFY_HOSTNAME, I_REMOTE_PROXY_VERIFY_PEER, I_REMOTE_PROXY_VERIFY_HOSTNAME, I_REMOTE_VERIFY_NONE, default is I_REMOTE_HOST_VERIFY_PEER|I_REMOTE_HOST_VERIFY_HOSTNAME|I_REMOTE_PROXY_VERIFY_PEER|I_REMOTE_PROXY_VERIFY_HOSTNAME. |
| I_OPT_PKCE_CODE_VERIFIER | PKCE code verifier, must be a string of 43 characters minumum only using the characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~". |
| I_OPT_PKCE_CODE_VERIFIER_GENERATE | Generate a random PKCE code verifier. |
| I_OPT_PKCE_METHOD | PKCE method to use, values available are I_PKCE_NONE (no PKCE, default), I_PKCE_METHOD_PLAIN or I_PKCE_METHOD_S256. |
| I_OPT_RESOURCE_INDICATOR | Resource indicator as detailed in the RFC 8707. |
| I_OPT_ACCESS_TOKEN_SIGNING_ALG | registration value access_token_signing_alg to specify a signing algorithm for access_token |
| I_OPT_ACCESS_TOKEN_ENCRYPTION_ALG | registration value access_token_encryption_alg to specify a key management algorithm for access_token |
| I_OPT_ACCESS_TOKEN_ENCRYPTION_ENC | registration value access_token_encryption_enc to specify an encryption algorithm for access_token |
| I_OPT_ID_TOKEN_SIGNING_ALG | registration value id_token_signing_alg to specify a signing algorithm for id_token |
| I_OPT_ID_TOKEN_ENCRYPTION_ALG | registration value id_token_encryption_alg to specify a key management algorithm for id_token |
| I_OPT_ID_TOKEN_ENCRYPTION_ENC | registration value id_token_encryption_enc to specify an encryption algorithm for id_token |
| I_OPT_USERINFO_SIGNING_ALG | registration value userinfo_signing_alg to specify a signing algorithm for userinfo |
| I_OPT_USERINFO_ENCRYPTION_ALG | registration value userinfo_encryption_alg to specify a key management algorithm for userinfo |
| I_OPT_USERINFO_ENCRYPTION_ENC | registration value userinfo_encryption_enc to specify an encryption algorithm for userinfo |
| I_OPT_REQUEST_OBJECT_SIGNING_ALG | registration value request_object_signing_alg to specify a signing algorithm for request_object |
| I_OPT_REQUEST_OBJECT_ENCRYPTION_ALG | registration value request_object_encryption_alg to specify a key management algorithm for request_object |
| I_OPT_REQUEST_OBJECT_ENCRYPTION_ENC | registration value request_object_encryption_enc to specify an encryption algorithm for request_object |
| I_OPT_TOKEN_ENDPOINT_SIGNING_ALG | registration value token_endpoint_signing_alg to specify a signing algorithm for token_endpoint |
| I_OPT_TOKEN_ENDPOINT_ENCRYPTION_ALG | registration value token_endpoint_encryption_alg to specify a key management algorithm for token_endpoint |
| I_OPT_TOKEN_ENDPOINT_ENCRYPTION_ENC | registration value token_endpoint_encryption_enc to specify an encryption algorithm for token_endpoint |
| I_OPT_CIBA_REQUEST_SIGNING_ALG | registration value ciba_request_signing_alg to specify a signing algorithm for ciba_request |
| I_OPT_CIBA_REQUEST_ENCRYPTION_ALG | registration value ciba_request_encryption_alg to specify a key management algorithm for ciba_request |
| I_OPT_CIBA_REQUEST_ENCRYPTION_ENC | registration value ciba_request_encryption_enc to specify an encryption algorithm for ciba_request |
| I_OPT_AUTH_RESPONSE_SIGNING_ALG | registration value auth_response_signing_alg to specify a signing algorithm for auth_response |
| I_OPT_AUTH_RESPONSE_ENCRYPTION_ALG | registration value auth_response_encryption_alg to specify a key management algorithm for auth_response |
| I_OPT_AUTH_RESPONSE_ENCRYPTION_ENC | registration value auth_response_encryption_enc to specify an encryption algorithm for auth_response |
| I_OPT_CIBA_ENDPOINT | absolute url for the CIBA endpoint or equivalent, string |
| I_OPT_CIBA_MODE | backchannel token delivery mode, values available are I_CIBA_MODE_NONE, I_CIBA_MODE_POLL, I_CIBA_MODE_PING and I_CIBA_MODE_PUSH |
| I_OPT_CIBA_USER_CODE | CIBA user code to specify in the CIBA request, string, optional. |
| I_OPT_CIBA_LOGIN_HINT | CIBA login_hint value, mandatory on CIBA requests. |
| I_OPT_CIBA_LOGIN_HINT_FORMAT | CIBA login_hint format, values available are I_CIBA_LOGIN_HINT_FORMAT_JSON, I_CIBA_LOGIN_HINT_FORMAT_JWT or I_CIBA_LOGIN_HINT_FORMAT_ID_TOKEN. |
| I_OPT_CIBA_LOGIN_HINT_KID | key id to use to sign CIBA requests or login_hint_token if multiple jwk are available on the client, string |
| I_OPT_CIBA_BINDING_MESSAGE | CIBA binding message to specify in the CIBA request, string, optional. |
| I_OPT_CIBA_REQUESTED_EXPIRY | CIBA binding message to specify in the CIBA request, string, optional. |
| I_OPT_CIBA_CLIENT_NOTIFICATION_TOKEN | client_notification_token value to use on CIBA requests, string, mandatory if mode is ping or push |
| I_OPT_CIBA_CLIENT_NOTIFICATION_TOKEN_GENERATE | Generate a random client_notification_token of the specified length. |
| I_OPT_CIBA_ACR_VALUES | ACR values that the OpenID Provider is being requested to use for processing this Authentication Request. |
| I_OPT_CIBA_ACR_VALUES_APPEND | append another ACR value to the ACR values list, string |
| I_OPT_CIBA_AUTH_REQ_ID | auth_req_id value received by the server on succesfull request |
| I_OPT_CIBA_CLIENT_NOTIFICATION_ENDPOINT | backchannel_client_notification_endpoint value to specify the url for ping or push modes |
| I_OPT_CIBA_AUTH_REQ_EXPIRES_IN | expiration of the request in seconds received by the server on succesfull request |
| I_OPT_CIBA_AUTH_REQ_INTERVAL | Interval to poll token endpoint on poll mode in seconds. |
| I_OPT_FRONTCHANNEL_LOGOUT_URI | Frontchannel logout URI. |
| I_OPT_FRONTCHANNEL_LOGOUT_SESSION_REQUIRED | Frontchannel logout session required. |
| I_OPT_BACKCHANNEL_LOGOUT_URI | Backchannel logout URI. |
| I_OPT_BACKCHANNEL_LOGOUT_SESSION_REQUIRED | Backchannel logout session required. |
| I_OPT_POST_LOGOUT_REDIRECT_URI | Post logout redirect URI. |
| I_OPT_ID_TOKEN_SID | ID_Token SID. |
| I_OPT_SAVE_HTTP_REQUEST_RESPONSE | Save HTTP request and response. |
| I_OPT_DPOP_NONCE_AS | DPoP Nonce for the AS. |
| I_OPT_DPOP_NONCE_RS | DPoP Nonce for the RS. |
1.9.1