Skip to content

How to write an oxd plugin

William Lowe edited this page Jan 4, 2018 · 7 revisions

Required features

OP / oxd Settings

  • URI of the OpenID Provider
  • URI after logout
  • Port-login redirect URL
  • Client ID
  • Client Secret
  • oxd port/https url

User Scopes

Scopes should be dynamically generated via discovery. At the very least, request-able scopes should include:

  • openid
  • email
  • profile
  • ability to add a custom scope

Authentication Settings

  • Checkbox to choose supported ACRs (which should be dynamically discovered from the OP metadata), so the application can request specific types of authentication.

  • Checkbox to bypass the local authentication screen

Nice to have

Enrollment & Access Management Policy

  • Automatically login any user with an account in the OP
  • Only register and allow ongoing access to users with one or more of the following roles in the OpenID Provider:
    • Text field that enables user to add roles that should be checked upon new user authentication

Authentication Settings

  • Provide ability for plugin admin to use ACR levels (Gluu Server specific) to set supported authentication methods, e.g. required ACR level >= 4 or required ACR level >4. This is useful in that it allows the app / plugin admin to request stronger authentication without explicitly requesting specific types of authentication, e.g. super gluu.