OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication code flow is "scope". However, for now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid".
The OpenID Connect specification indicate that there are other scope values which may be included in
the authentication request. This new feature will add the ability to configure the scope
attribute
of the elytron-oidc-client
subsystem, so that additional scope values can be specified when
configuring the server or the deployment settings.
The feature will allow the user to specify additional scope values in two ways:
-
In an application’s
oidc.json
configuration file in theWEB-INF
directory of the application, -
Adding configurations to the
elytron-oidc-client
subsystem under thesecure-deployment
resource.
-
A new attribute named
scope
will be added to thesecure-deployment
resource under theelytron-oidc-client
subsystem, which will be used to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism. -
It must be possible to configure this attribute using cli commands. For example:
/subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid, offline_access")
-
It must also be configured by specifying it in the deployment. This can be done using the
oidc.json
file inside theWEB-INF
directory. For example:
"scope" : "myClient, myclient@redhat.com, offline_access, openid"
-
The OpenID Connect Specifications contain more details on optional scope values and using scope values to requst Offline Access.
-
Scope values are to be sent as a list of comma separated values inside quotes as seen in the examples above.
-
WildFly Elytron test suite: Test cases implemented for functionality.
-
WildFly test suite: Ensuring the correct scope if chosen and used when the
scope
attribute is changed. -
Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration.
Documentation for the new scope option will be added to Elytron OpenID Connect Client Subsystem Configuration.