m3k-auth supports parts of the OAuth 2.0 and OpenID Connect (OIDC) specifications. This page contains hints how you add clients and which parts of the spec are expected to work.
New clients must be administratively whitelisted before authorization is possible. You can request a new client_id from Markus Peröbner. Make sure you can fullfil the following restrictions before you ask to be whitelisted.
The OAuth 2.0 redirect_uri must use the https protocol and it must be an absolute URL.
Currently the following OAuth 2.0 scopes are supported:
The supported grant types are authorization_code
and refresh_token. The flow is:
/authorize with
response_type=code, client_id,
redirect_uri, and scope=openid.redirect_uri with a code
query parameter.POST /token request.
POST /token — form-encoded body.
Authorization code grant parameters:
grant_type=authorization_codecode — the code received at your redirect URIredirect_uri — must match the one used in the
authorization requestclient_idclient_secretRefresh token grant parameters:
grant_type=refresh_tokenrefresh_token
A successful authorization code response includes
access_token, refresh_token, and
id_token. A refresh token response issues a new
access_token and refresh_token pair
(token rotation).
The id_token is an RS256-signed JWT. Its payload
contains the following claims:
iss — issuer URLsub — persistent, human-readable user identifieraud — your client_idiat — issued-at time (Unix timestamp)exp — expiry time (Unix timestamp)
The public key for verifying the signature is available at
/.well-known/jwks.json
(RS256, kid: "1").
GET /userinfo — authenticate with
Authorization: Bearer <access_token>. Returns
a JSON object with the following claims:
sub — user identifier (always present)name — full name, if availablegiven_name — if availablefamily_name — if availablenickname — same as sub (always present)email — always presentemail_verified — always truelocale — if available (default de-DE)The well-known description of the server can be found in the openid-configuration.