FAQ
-
What are the differences between SAML and OIDC?
SAML and OIDC are two different protocols; OIDCs are usually easier to configure for mobile applications. For general web applications, you can choose either. However, if your application requires special attributes/claims that are not covered in Stanford Attribute Release policy, you would want to use SAML.
For all enterprise web-based applications, we recommend using SAML as the primary authentication approach. However, if the application is not web-based or has specific requirements that SAML cannot fulfill, that’s when we suggest using OIDC. -
What is the redirect_uri?
A redirect URI, or reply URL, is the location where the OIDC provider sends the user once the app has been successfully authorized and granted the authorization code. The OIDC provider sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process.
-
What are the supported redirect_uri format for native apps?
Per RFC 8252, there are three main forms,
- Private-Use URI Scheme redirection, ex: com.example.app, com.example.app:/oauth2redirect/example-provider
- Claimed https scheme URI redirect, ex: https://app.example.com/oauth2redirect/example-provider
- Loopback interface redirection, ex: http://127.0.0.1:51004/oauth2redirect/example-provider
-
What are the supported redirect_uri for web apps?
Strongly encourage users to start with https://. If you must use http://, then only with loopback address.
If you have multiple redirect_uri(s), you would want to change the "Subject Type" from "pairwise" (default) to "public" for your RP registration at spdb. -
What are the lifetime for tokens?
idp.oidc.authorizeCode.defaultLifetime = PT5M idp.oidc.accessToken.defaultLifetime = PT10M idp.oidc.refreshToken.defaultTimeout = PT2H idp.oidc.refreshToken.defaultChainLifetime = PT2H idp.oidc.idToken.defaultLifetime = PT1H
Known Issues
- The presentation of acr claim is incorrect, see ISHIB-744.
