OpenID Configuration API
OpenID configuration may be supplied programmatically through a configuration delegate.
This approach is typically used when configuration is loaded from a database or other external source at application startup.
The following code adds the OpenID services and specifies a OpenID configuration delegate.
// Add OpenID services.
builder.Services.AddOpenIDProvider(openidConfigurations =>
ConfigureOpenID(openidConfigurations));
ConfigureOpenID is an action delegate with the following signature.
Example Configuration
The following is an example of setting the OpenID configuration using a delegate.
In practice, these values are typically retrieved from a database or other external configuration store rather than being hard-coded.
public void ConfigureOpenID(OpenIDConfigurations openIDConfigurations)
{
openIDConfigurations.Configurations = new OpenIDConfiguration[]
{
new OpenIDConfiguration()
{
ProviderConfiguration = new ProviderConfiguration()
{
ProviderMetadata = new ProviderMetadata()
{
Issuer = "https://ExampleOpenIDProvider",
AuthorizationEndpoint = "/openid/authorize",
TokenEndpoint = "/openid/token",
UserinfoEndpoint = "/openid/userinfo",
JwksUri = "/openid/keys",
EndSessionEndpoint = "/openid/logout",
ScopesSupported = new string[] { "openid" },
ResponseTypesSupported = new string[] { "code", "id_token", "id_token token", "code id_token", "code token", "code id_token token" },
ResponseModesSupported = new string[] { "query", "fragment", "form_post" },
GrantTypesSupported = new string[] { "authorization_code", "implicit", "refresh_token", "client_credentials" },
SubjectTypesSupported = new string[] { "public" },
IdTokenSigningAlgValuesSupported = new string[] { "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" },
IdTokenEncryptionAlgValuesSupported = new string[] { "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" },
IdTokenEncryptionEncValuesSupported = new string[] { "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" },
UserinfoSigningAlgValuesSupported = new string[] { "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" },
UserinfoEncryptionAlgValuesSupported = new string[] { "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" },
UserinfoEncryptionEncValuesSupported = new string[] { "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" },
RequestObjectSigningAlgValuesSupported = new string[] { "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" },
RequestObjectEncryptionAlgValuesSupported = new string[] { "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" },
RequestObjectEncryptionEncValuesSupported = new string[] { "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" },
TokenEndpointAuthMethodsSupported = new string[] { "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" },
TokenEndpointAuthSigningAlgValuesSupported = new string[] { "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" },
DisplayValuesSupported = new string[] { "page", "popup", "touch", "wap" },
ClaimsSupported = new string[] { "amr", "aud", "email", "exp", "family_name", "given_name", "iat", "idp", "iss", "jti", "middle_name", "name", "nbf", "nonce", "preferred_username", "sub", "ver" },
CodeChallengeMethodsSupported = new string[] { "plain", "S256" },
RequestParameterSupported = true,
RequestUriParameterSupported = true
},
ProviderCertificates = new Certificate[]
{
new Certificate()
{
FileName = "certificates/op.pfx",
Password = "password"
}
}
},
ClientConfigurations = new ClientConfiguration[]
{
new ClientConfiguration()
{
Description = "Example OpenID Client",
ClientID = "wLpJpHADUqEmmAltrZX87yUMz8lgweWs",
ClientSecret = "P41HXh7SptRM6rV4xjgdVmUkXssibunr",
RedirectUris = new string [] { "https://localhost:44389/signin-oidc" },
PostLogoutRedirectUris = new string [] { "https://localhost:44389/signout-callback-oidc" },
ClientCertificates = new Certificate[]
{
new Certificate()
{
FileName = "certificates/client.cer",
}
}
}
}
}
};
}
Updating OpenID Configuration
The current OpenID configuration may be accessed through dependency injection using IOptionsMonitor
Updating the configuration in this way is intended for infrequent changes. For scenarios requiring frequent or per-request configuration changes, IConfigurationResolver should be used instead.
The following is an example of accessing and updating the in-memory OpenID configuration.
public class OpenIDController : Controller
{
private readonly OpenIDConfigurations _openIDConfigurations;
public OpenIDController(IOptionsMonitor<OpenIDConfigurations> openIDConfigurations)
{
_openIDConfigurations = openIDConfigurations.Value;
}
public async Task<IActionResult> UpdateConfiguration()
{
var openIDConfiguration = _openIDConfigurations.Configurations.First();
// Update the OpenID configuration.
openIDConfiguration.ClientConfigurations.Add(new ClientConfiguration()
{
Description = "Blazor WASM",
ClientID = "CFTapaLooboloAasQvjOYFPlf4Hjhmur",
RedirectUris = new string [] { "https://localhost:44361/authentication/login-callback" },
PostLogoutRedirectUris = new string [] { "https://localhost:44361/authentication/logout-callback" }
});
return new EmptyResult();
}
}