OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication flow is "scope". However, for now, that value is hardcoded as just "openid".
The specifications indicate that there are other scope values which may be included in
the authentication request. This new feature adds the ability to configure the scope attribute
of the elytron-oidc-client subsystem, so that those additional parameters can be specified when
configuring the server.
The feature will allow the user to configure the server in two ways:
-
In an application’s oidc.json file
-
in the elytron-oidc-client subsystem configuration in the secure-deployment resource
-
A new
scoperesource added to theelytron-oidc-clientsubsystem, which will be used to configure the scope attribute of the oidc client. -
It must be possible to configure this attribute using the following command:
/subsystem=elytron-oidc-client=my-oidc-client:write-attribute(name=scope, value=openid)-
It must also be configured using the
oidc.jsonfile as follows:
"scope" : "<clinet id>%20offline_access%20openid"-
Wildfly Elytron test suit: Test cases implemented for functionality.
-
WildFly test suite: Ensuring the correct scope if chosen and used when the
scopeattribute is changed.
Documentation will be added to Elytron’s Keycloak Integration Documentation.