########################################################################################
#
# Common Settings
#
########################################################################################

# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
#OIDCRedirectURI https://www.example.com/protected/redirect_uri

# (Mandatory)
# Set a password for crypto purposes, used in state and (optionally) by-value session cookies.
#OIDCCryptoPassphrase <passphrase>

# (Optional)
# Define the cookie path for the "state" and "session" cookies.
# When not defined the default is a server-wide "/".
#OIDCCookiePath <cookie-path>

# (Optional)
# Specify the domain for which the "state" and "session" cookies will be set.
# This must match the OIDCRedirectURI and the URL on which you host your protected
# application. When not defined the default is the server hostname.
#OIDCCookieDomain <cookie-domain>

# (Optional)
# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client
# Registration and account-based OP Discovery.
# Specifies the directory that holds metadata files (must be writable for the Apache process/user).
# When not specified, it is assumed that we use a single statically configured provider as
# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL.
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata

########################################################################################
#
# (Optional)
#
# OpenID Connect Provider
#
# For configuration of a single static provider, not using OpenID Connect Provider Discovery.
#
########################################################################################

# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration)
# The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If not set, the entries below will have to be configured for a single static OP configuration
# or OIDCMetadataDir will have to be set for configuration of multiple OPs.
#OIDCProviderMetadataURL <url>

# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderIssuer <issuer>

# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderAuthorizationEndpoint <authorization_endpoint>

# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS)
# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderJwksUri <jwks_url>

# (Optional)
# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderTokenEndpoint <token_endpoint>

# (Optional)
# Authentication method for the OpenID Connect Provider Token Endpoint.
# One of "client_secret_basic", "client_secret_post", "client_secret_jwt" or "private_key_jwt".
# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set.
# When not defined the default method from the specification is used, i.e. "client_secret_basic".
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
# NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth
#OIDCProviderTokenEndpointAuth [client_secret_basic|client_secret_post|client_secret_jwt|private_key_jwt]

# (Optional)
# Extra parameters that need to be passed in the POST request to the Token Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params
#OIDCProviderTokenEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]* 

# (Optional)
# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid)
# When not defined no claims will be resolved from such endpoint.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderUserInfoEndpoint <user_info_endpoint>

# (Optional)
# OpenID OP Check Session iFrame URL, for Session Management purposes.
# When not defined, no Session Management will be applied.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderCheckSessionIFrame <url>

# (Optional)
# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes.
# When not defined, no logout to the OP will be performed.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderEndSessionEndpoint <url>

# (Optional)
# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint.
# This settings serves as a default value for multiple OPs only.
# Parameter names and values need to be provided in JSON form and will be merged in to the request.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_params
#OIDCProviderRegistrationEndpointJson <json-string>

########################################################################################
#
# (Optional)
#
# OpenID Connect Client
#
# Settings used by the client in communication with the OpenID Connect Provider(s),
# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access.
# These settings are used when a single static provider is configured and serve as defaults
# when multiple providers are configured.
#
########################################################################################

# (Optional)
# Require a valid SSL server certificate when communicating with the OP.
# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint)
# When not defined, the default value is "On".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server
#OIDCSSLValidateServer [On|Off]

# (Optional)
# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too)
# When not defined the "code" response type is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type
#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"]

# (Optional)
# The response mode used (this serves as default value for discovered OPs too)
# When not defined the default response mode for the requested flow (OIDCResponseType) is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode
#OIDCResponseMode [fragment|query|form_post]

# (Optional)
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client identifier used in calls to the statically configured OpenID Connect Provider.
#OIDCClientID <client_id>

# (Optional)
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client secret used in calls to the statically configured OpenID Connect Provider.
# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token")
#OIDCClientSecret <client_secret>

# (Optional)
# PEM-formatted filename with client certificate used in calls to the token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert
#OIDCClientTokenEndpointCert <filename>

# (Optional)
# PEM-formatted filename with private key used in calls to the token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key
#OIDCClientTokenEndpointKey <filename>

# (Optional)
# The client name that the client registers in dynamic registration with the OP.
# When not defined, no client name will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name
#OIDCClientName <client_name>

# (Optional)
# The contacts that the client registers in dynamic registration with the OP.
# Must be formatted as e-mail addresses by specification.
# Single value only; when not defined, no contact e-mail address will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
#OIDCClientContact <contact>

# (Optional)
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
# When not defined, the bare minimal scope "openid" is used.
# NB: multiple scope values must be enclosed in a single pair of double quotes 
# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope
#OIDCScope "<scope(s)-separated-by-spaces-and-enclosed-in-double-quotes>"

# (Optional)
# The PKCE method used (this serves as default value for discovered OPs too)
# When not defined PKCE is not used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
#OIDCPKCEMethod [plain|S256]

########################################################################################
#
# (Optional)
#
# OAuth 2.0 Resource Server Settings
#
# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization
# Server, introspecting/validating bearer Access Tokens.
#
########################################################################################

# (Optional)
# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientID <client_id>

# (Optional)
# Client secret used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientSecret <client_secret>

# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation)
# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2)
#OIDCOAuthIntrospectionEndpoint <token-introspection-endpoint>

# (Optional)
# Define the HTTP method to use for the introspection call. Must be GET or POST.
# When not defined the default is POST.
#OIDCOAuthIntrospectionEndpointMethod [POST|GET]

# (Optional)
# Extra parameters that need to be passed in the POST request to the Introspection Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
#OIDCOAuthIntrospectionEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]* 

# (Optional)
# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint,
# Must be either "client_secret_basic" or "client_secret_post; when not defined "client_secret_basic" is used.
#OIDCOAuthIntrospectionEndpointAuth [client_secret_basic|client_secret_post]

# (Optional)
# PEM-formatted filename with client certificate used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointCert <filename>

# (Optional)
# PEM-formatted filename with private key used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointKey <filename>

# (Optional)
# Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint.
# When not defined the default "token" is used.
#OIDCOAuthIntrospectionTokenParamName <param_name>

# (Optional)
# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since
# 1970), relative (seconds from now after which the token will expire), and whether it is optional.
# If the claim is optional and not found in the response, the introspection result will not be cached.
# (which means that the overall performance may suffer)
#
# Only applies when the "active" claim is not found in the introspection response, which is interpreted as
# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom.
#
# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching
# Google and PingFederate's introspection behavior.
#OIDCOAuthTokenExpiryClaim <claim-name> [absolute|relative] [mandatory|optional]

# (Optional)
# Define the interval in seconds after which a cached and introspected access token needs
# to be refreshed by introspecting (and validating) it again against the Authorization Server.
# When not defined the value is 0, which means it only expires after the `exp` (or alternative,
# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server
#OIDCOAuthTokenIntrospectionInterval <seconds>

# (Optional)
# Require a valid SSL server certificate when communicating with the Authorization Server
# on the token introspection endpoint. When not defined, the default value is "On".
#OIDCOAuthSSLValidateServer [On|Off]

# (Optional)
# The symmetric shared key(s) that can be used for local JWT access token validation.
# NB: this is one or more key tuples where a key tuple consists of:
#  plain|b64|hex#[<key-identifier>]#<key>
# When not defined, no access token validation with shared keys will be performed.
# Examples:
# - a plaintext secret and a key identifier (kid)
#     plain#1#mysecret
# - a base64 encoded secret, no key identifier provided
#     b64##AF515DE==
# - a hex encoded secret, no key identifier provided
#     hex##ede012
#OIDCOAuthVerifySharedKeys ([plain|b64|hex#][<kid>#]<key>)+

# (Optional)
# The fully qualified names of the files that contain the X.509 certificates with the RSA public
# keys that can be used for local JWT access token verification.
# NB: this is one or more key tuples where a key tuple consists of:
#  [<key-identifier>#]<path-to-cert>
# and the key identifier part is optional.
# When not defined, no access token validation with statically configured certificates will be performed.
#OIDCOAuthVerifyCertFiles ([<kid>#]<filename>)+

# (Optional)
# The JWKs URL on which the Authorization publishes the keys used to sign its JWT access tokens.
# When not defined local validation of JWTs can still be done using statically configured keys,
# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys.
#OIDCOAuthVerifyJwksUri <jwks_url>

# (Optional)
# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths.
# When not defined the default "sub" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# claim value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>]

# (Optional)
# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server.
# Must be one or several of:
# "header" : an "Authorization: bearer" header
# "post" :   an HTTP Post parameter called "access_token"
# "query" :  as an HTTP query parameter called "access_token"
# "cookie" : as a cookie header called "PA.global" or using the name specified after ":"
# When not defined the default "header" is used.
#OIDCOAuthAcceptTokenAs [header|post|query|cookie[:<cookie-name>]+

########################################################################################
#
# (Optional)
#
# Cache Settings
#
########################################################################################

# (Optional)
# Cache type, used for temporary storage that is shared across Apache processes/servers for:
#  a) session state
#  b) nonce values to prevent replay attacks
#  c) validated OAuth 2.0 tokens
#  d) JWK sets that have been retrieved from jwk_uri's
#  e) resolved OP metadata when using OIDCProviderMetadataUrl
#  f) JWT ID claims (jti) when using OP-init-SSO
# must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" 
# When not defined, "shm" (shared memory) is used.
#OIDCCacheType [shm|memcache|file[|redis]]

# (Optional)
# When using OIDCCacheType "shm":
# Specifies the maximum number of name/value pair entries that can be cached.
# When caching a large number of entries the cache size limit may be reached and the
# least recently used entry will be overwritten. If this happens within 1 hour, 
# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased.
# When not specified, a default of 500 entries is used.
# OIDCCacheShmMax <number>

# (Optional)
# When using OIDCCacheType "shm":
# Specifies the maximum size for a single cache entry in bytes with a minimum of 8464 bytes.
# When caching large values such as numbers of attributes in a session or large metadata documents the 
# entry size limit may be overrun, in which case errors will be displayed in the error.log
# and the OIDCCacheShmEntrySizeMax value has to be increased.
# When not specified, a default entry size of 16913 bytes (16384 value + 512 key + 17 overhead) is used.
# OIDCCacheShmEntrySizeMax <bytes>

# (Optional)
# When using OIDCCacheType "file":
# Directory that holds cache files; must be writable for the Apache process/user.
# When not specified a system defined temporary directory (/tmp) will be used.
#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache

# (Optional)
# When using OIDCCacheType "file":
# Cache file clean interval in seconds (only triggered on writes).
# When not specified a default of 60 seconds is used.
# OIDCCacheFileCleanInterval <seconds>

# (Optional)
# Required when using OIDCCacheType "memcache":
# Specifies the memcache servers used for caching as a space separated list of <hostname>[:<port>] tuples.
#OIDCMemCacheServers "(<hostname>[:<port>])+"

# (Optional)
# Required if Redis support is compiled in and when using OIDCCacheType "redis":
# Specifies the Redis server used for caching as a <hostname>[:<port>] tuple.
#OIDCRedisCacheServer <hostname>[:<port>]

# (Optional)
# Password to be used if the Redis server requires authentication: http://redis.io/commands/auth
# When not specified, no authentication is performed.
#OIDCRedisCachePassword <password>

########################################################################################
#
# (Optional)
#
# Advanced Settings
#
########################################################################################

# (Optional)
# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
#OIDCSessionInactivityTimeout <seconds>

# (Optional)
# Defines an external OP Discovery page. That page will be called with:
#    <discovery-url>?oidc_callback=<callback-url>
# additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`.
#
# An Issuer selection can be passed back to the callback URL as in:
#    <callback-url>?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=<login-hint>][&auth_request_params=<params>]
# where the <iss> parameter contains the URL-encoded issuer value of
# the selected Provider, or a URL-encoded account name for OpenID
# Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
# [parameters] contains the additinal parameters that were passed in on the discovery request (e.g. target_link_uri=<url>&x_csrf=<x_csrf>&method=<method>)
#
# When not defined the bare-bones internal OP Discovery page is used.
#OIDCDiscoverURL <discovery-url>

# (Optional)
# Template used to display error messages.
# The template must be prepared to take two strings, an error title and a more details error description,
# both HTML encoded values, in that order and referenced by (C-style) "%s", e.g. <p>Message:%s</p><p>Description:%s</p>.
# A minimal example that posts error+detail to another webpage:
# <html><body onload="document.forms[0].submit()">
#    <form method="post" action="http://example.org/error">
#      <input name="error" value="%s">
#      <input name="description" value="%s">
#    </form>
#  </body></html>
# When not defined a bare-bones internal template is used.
#OIDCHTMLErrorTemplate <filename>

# (Optional)
# Defines a default URL to be used in case of 3rd-party or OP initiated
# SSO when no explicit target_link_uri has been provided. The user is also
# sent to this URL is in case an invalid authorization response was received.
# When not defined, 3rd-party SSO must be done with a specified \"target_link_uri\" parameter.
#OIDCDefaultURL <default-url>

# (Optional)
# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout.
# When not defined and no URL was passed explicitly, a default internal page will be shown.
#OIDCDefaultLoggedOutURL <url>

# (Optional)
# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent" or
# specific for Google's implementation: "approval_prompt=force".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# As an alternative to this option, one may choose to add the parameters as
# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint"
# in the .provider metadata (though that would not work with Discovery OPs).
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params
#OIDCAuthRequestParams <query-encoded-string>

# (Optional)
# The fully qualified names of the files that contain the PEM-formatted X.509 certificates
# that contain the RSA public keys to be used for JWT (OP state/id_token) encryption by the OP.
# These keys must correspond to the private keys defined in OIDCPrivateKeyFiles.
# When not defined no encryption will be requested.
# You can also prefix <filename> with a JWK key identifier to manually override the automatically
# generated "kid" that will be used for this key in the JWKs derived from this certificate and
# published at OIDCClientJwksUri.
#OIDCPublicKeyFiles ([<kid>#]<filename>)+

# (Optional)
# The fully qualified names of the files that contain the PEM-formatted RSA private
# keys that can be used to decrypt content sent to us by the OP.
# These keys must correspond to the public keys defined in OIDCPublicKeyFiles.
# When not defined no decryption will be possible.
#OIDCPrivateKeyFiles [<filename>+]

# (Optional)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
# used during client registration to point to the JWK set with public keys for this client.
# If not defined the default <redirect_uri>?jwks=rsa will be used, on which a JWK set
# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't
# need to touch this unless this client is on a (test) host that is not reachable from the internet.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri
#OIDCClientJwksUri <url>

# (Optional)
# The algorithm that the OP should use to sign the id_token (used only in dynamic client registration)
# When not defined the default that the OP should use by spec is RS256.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg
#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]

# (Optional)
# The algorithm that the OP should use to encrypt the Content Encryption Key that is
# used to encrypt the id_token (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not encrypt the id_token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg
#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]

# (Optional)
# The algorithm that the OP should use to encrypt to the id_token with the
# Content Encryption Key (used only in dynamic client registration)
# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided.
# (????GCM algorithms only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc
#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A128GCM|A192GCM|A256GCM]

# (Optional)
# The algorithm that the OP should use to sign the UserInfo response
# (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not sign the response.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg
#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]

# (Optional)
# The algorithm that the OP should use to encrypt the Content Encryption Key that is
# used to encrypt the UserInfo response (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not encrypt the response.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg
#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]

# (Optional)
# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with
# the Content Encryption Key (used only in dynamic client registration)
# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided.
# (????GCM algorithms only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc
#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A128GCM|A192GCM|A256GCM]

# (Optional)
# Defines the way in which the access token will be presented to the userinfo endpoint
# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET
# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST
# When not defined the default is "authz_header".
# NB: this can be overrridden on a per-OP basis in the .conf file using the key: userinfo_token_method
#OIDCUserInfoTokenMethod [authz_header|post_param]

# (Optional)
# The refresh interval in seconds for the JWKs key set obtained from the jwk_uri.
# When not defined the default is 3600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval
#OIDCJWKSRefreshInterval <seconds>

# (Optional)
# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token.
# When not defined the default is 600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack
#OIDCIDTokenIatSlack <seconds>

# (Optional)
# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
#OIDCSessionMaxDuration <seconds>

# (Optional)
# Define the cookie name for the session cookie.
# When not defined the default is "mod_auth_openidc_session".
#OIDCCookie <cookie-name>

# (Optional)
# Defines whether the HttpOnly flag will be set on cookies.
# When not defined the default is On.
#OIDCCookieHTTPOnly [On|Off]

# (Optional)
# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined, the default "OIDC_CLAIM_" is used.
#OIDCClaimPrefix <prefix>

# (Optional)
# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined the default "," is used.
#OIDCClaimDelimiter <char>

# (Optional)
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
# If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the
# \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs.
# When not defined the default "sub@" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# resulting value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>]

# (Optional)
# Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs.
# Must be one or several of:
# "claims" :     the claims in the id_token are passed in individual headers/environment variables
# "payload" :    the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
# When not defined the default "claims" is used.
#OIDCPassIDTokenAs [claims|payload|serialized]+

# (Optional)
# Define the way in which the claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
# When not defined the default is "both"
# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
#OIDCPassClaimsAs [none|headers|environment|both]

# (Optional)
# Specify the HTTP header variable name to set with the name of the authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim.
# When not defined no such header is added.
# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on
# a server-wide or directory level.
#OIDCAuthNHeader <header-name>

# (Optional)
# Timeout in seconds for long duration HTTP calls. This is used for most requests to remote endpoints/servers.
# When not defined the default of 60 seconds is used.
#OIDCHTTPTimeoutLong <seconds>

# (Optional)
# Timeout in seconds for short duration HTTP calls; used for Client Registration and OP Discovery requests.
# When not defined the default of 5 seconds is used.
#OIDCHTTPTimeoutShort <seconds>

# (Optional)
# Time to live in seconds for state parameter i.e. the interval in which the authorization request
# and the corresponding response need to be processed. When not defined the default of 300 seconds is used.
#OIDCStateTimeout <seconds>

# (Optional)
# OpenID Connect session storage type.
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next
# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts
# instead of a session cookie that is tied to the lifetime of the browser session.
# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting.
# When not defined the default "server-cache" is used.
#OIDCSessionType server-cache[:persistent]|client-cookie[:persistent]

# (Optional)
# OpenID Connect session cookie chunk size.
# When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session
# data needs to be stored, typically the size depends on the "scopes" of information you request. To work
# around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split
# over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, 
# If you want to prevent splitting the session cookie regardless of its size, set the value to 0.
# When not defined the default chunk size is 4000 bytes
#OIDCSessionCookieChunkSize 4000

# (Optional)
# Scrub user name and claim headers (as configured above) from the user's request.
# The default is "On"; use "Off" only for testing and debugging because it renders your system insecure.
#OIDCScrubRequestHeaders [On|Off] 

# (Optional)
# Specify an outgoing proxy for your network.
# When not defined no outgoing proxy is used.
#OIDCOutgoingProxy <host>[:<port>]

# (Optional)
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
# When not defined the default "auth" is used.
#OIDCUnAuthAction [auth|pass|401|410]

# (Optional)
# Specify the names of cookies to pickup from the browser and send along on backchannel
# calls to the OP and AS endpoints. This can be used for load-balancing purposes.
# When not defined, no such cookies are sent.
#OIDCPassCookies [<cookie-name>]+

# (Optional)
# Specify the names of cookies to strip from the incoming request so they are not passed
# on to the target application(s). This may prevent a large set of chunked session cookies to
# be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting):
#   mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 
# When not defined, no cookies are stripped.
#OIDCStripCookies [<cookie-name>]+

# (Optional)
# The refresh interval in seconds for the claims obtained from the userinfo endpoint
# When not defined the default is 0, i.e. the claims are retrieved only at session creation time.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval
#OIDCUserInfoRefreshInterval <seconds>

# (Optional)
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
# Preservation is done via HTML 5 local storage. Note that this can lead to private data exposure on shared terminals, 
# that is why the default is "Off". Can be configured on a per Directory/Location basis.
#OIDCPreservePost [On|Off]

# (Optional)
# Indicates whether the refresh token will be passed to the application in a header/environment variable, according
# to the OIDCPassClaimsAs directive.
# Can be configured on a per Directory/Location basis. The default is "Off". 
#OIDCPassRefreshToken [On|Off]

# (Optional)
# Request Object/URI settings. For example:
# "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.pingidentity.nl/protected/\" }"
# NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object
#OIDCRequestObject <stringified-JSON-object>

# (Optional)
# Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir).
# When not defined the default is 0 seconds, i.e. it is never refreshed.
# Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day.
#OIDCProviderMetadataRefreshInterval <seconds>