Authorized Stanford users could register and manage OIDC clients via SPDB, by clicking on "Manage OpenID RP configurations".
Before Registration
Stanford mailing list address
To register an OIDC relying party with SPDB, the user needs to have a Stanford mailing list address that comes with the format of @lists.stanford.edu or you can visit Stanford Mailman tools.
Stanford workgroup
When registering you will need to have a non-personal workgroup that will be associated with the OIDC relying party. If you are not sure or do not have a workgroup, please visit Stanford Workgroup or consult UIT.
Client Registration
OpenID Connect
Stanford's OpenID Connect(OIDC) endpoint:
- Issuer: https://login.stanford.edu
- Discovery: https://login.stanford.edu/.well-known/openid-configuration
Relevant endpoints
- Authorization: https://login.stanford.edu/idp/profile/oidc/authorize
- Token: https://login.stanford.edu/idp/profile/oidc/token
- User Info: https://login.stanford.edu/idp/profile/oidc/userinfo
- JSON Web Key Setsa(JWKS): https://login.stanford.edu/idp/profile/oidc/keyset
Scopes
- Please configure your client to request only the scope(s) it requires.
- Do not assume users will consent to all claims.
-
Common scopes:
- openid : this which would provide you with an immutable identifier of the authenticated user
- email : this would provide you with the user's uid@stanford.edu (or eduPersonPrincipalName)
- profile: include the given name, family name and display name of the authenticated user
- edupersonentitlement: this is only needed if you intend to use workgroup release
-
For details on the scopes, please see scopes and claims
Client-id and secrets
- Once the relying-party has been successfully created, the user can proceed to create the client secret.
- The secret will expire after one year. An RP with an expired secret will not work.
