WFLY-16532-additional-scope-for-auth-request.adoc

Adding the ability to configure additional scope value for an authentication request

Overview

OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication code flow is "scope". However, for now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid".

The OpenID Connect specification indicate that there are other scope values which may be included in the authentication request. This new feature will add the ability to configure the scope attribute of the elytron-oidc-client subsystem, so that additional scope values can be specified when configuring the server or the deployment settings.

The feature will allow the user to specify additional scope values in two ways:

• In an application’s oidc.json configuration file in the WEB-INF directory of the application,

• Adding configurations to the elytron-oidc-client subsystem under the secure-deployment resource.

Issue Metadata

Issue

• WFLY-16532

Related Issues

• N/A

Dev Contacts

• Prarthona Paul

QE Contacts

• TBD

Testing By

• ✓ Engineering

• ❏ QE

Affected Projects or Components

• WildFly

• WildFly Elytron

Other Interested Projects

N/A

Relevant Installation Types

• ✓ Traditional standalone server (unzipped or provisioned by Galleon)

• ✓ Managed domain

• ✓ OpenShift s2i

• ✓ Bootable jar

Requirements

Hard Requirements

• A new attribute named scope will be added to the secure-deployment resource under the elytron-oidc-client subsystem, which will be used to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism.

• It must be possible to configure this attribute using cli commands. For example:

    /subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid, offline_access")

• It must also be configured by specifying it in the deployment. This can be done using the oidc.json file inside the WEB-INF directory. For example:

    "scope" : "myClient, myclient@redhat.com, offline_access, openid"

• The OpenID Connect Specifications contain more details on optional scope values and using scope values to requst Offline Access.

• Scope values are to be sent as a list of comma separated values inside quotes as seen in the examples above.

Nice-to-Have Requirements

N/A

Non-Requirements

N/A

Backwards Compatibility

N/A

Default Configuration

The scope attribute would be undefined by default and in that case, the scope value would be hardcoded as scope=openid as before.

Test Plan

• WildFly Elytron test suite: Test cases implemented for functionality.

• WildFly test suite: Ensuring the correct scope if chosen and used when the scope attribute is changed.

• Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration.

Community Documentation

Documentation for the new scope option will be added to Elytron OpenID Connect Client Subsystem Configuration.