OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication code flow is "scope". However, for now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid".
The OpenID Connect specification indicate that there are other scope values which may be included in
the authentication request. This new feature will add the ability to configure the scope
attribute
of the elytron-oidc-client
subsystem under the secure-server
and secure-deployment
resources, so that additional scope values can be specified when
configuring the server or the deployment settings.
The feature will allow the user to specify additional scope values in two ways:
-
In an application’s
oidc.json
configuration file in theWEB-INF
directory of the application, -
Adding configurations to the
elytron-oidc-client
subsystem under thesecure-deployment
and the 'secure-server' resource.
-
A new attribute named
scope
will be added to thesecure-deployment
resource under theelytron-oidc-client
subsystem, which will be used to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism. -
It must be possible to configure this attribute using cli commands. For example:
/subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid offline_access")
-
It must also be configured by specifying it in the deployment. This can be done using the
oidc.json
file inside theWEB-INF
directory. For example:
"scope" : "openid profile email offline_access"
-
The OpenID Connect Specifications contain more details on optional scope values and using scope values to requst Offline Access.
-
Scope values are to be saved as a list of space separated values inside quotes as seen in the examples above.
-
When building the redirect URL, the scopes are to be added at the end as
&scope=openid+profile+email+offline_access
with the+
as the delimiters replacing the spaces. -
Although OpenID Connect has a small set of scope values outlined in the documentation, there are additional scope values that can be configured depending on the OpenID provider. The scope attribute must accept additional scope values accepted by different OpenID providers.
-
WildFly Elytron test suite: Test cases implemented for functionality.
-
WildFly test suite: Ensuring the correct scope is specified in the authentication request and used when the
scope
attribute is changed. The token will be checked for the correct claims obtained using the scope values configured. -
Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration.
Documentation for the new scope option will be added to Elytron OpenID Connect Client Subsystem Configuration.