OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication flow is "scope". However, for now, that value is hardcoded as just "openid".
The specifications indicate that there are other scope values which may be included in
the authentication request. This new feature adds the ability to configure the scope
attribute
of the elytron-oidc-client
subsystem, so that those additional parameters can be specified when
configuring the server.
The feature will allow the user to configure the server in two ways:
-
In an application’s oidc.json file
-
in the elytron-oidc-client subsystem configuration in the secure-deployment resource
-
A new
scope
resource added to theelytron-oidc-client
subsystem, which will be used to configure the scope attribute of the oidc client. -
It must be possible to configure this attribute using the following command:
/subsystem=elytron-oidc-client=my-oidc-client:write-attribute(name=scope, value=openid)
-
It must also be configured using the
oidc.json
file as follows:
"scope" : "<clinet id>%20offline_access%20openid"
-
Wildfly Elytron test suit: Test cases implemented for functionality.
-
WildFly test suite: Ensuring the correct scope if chosen and used when the
scope
attribute is changed.
Documentation will be added to Elytron’s Keycloak Integration Documentation.