WFLY-16532-additional-scope-for-auth-request.adoc

Adding the ability to configure additional scope value for an authentication request

Overview

OpenID Connect is an authentication mechanism that builds on OAuth 2.0 and allows a user to login to a web application using credentials established by an OpenID provider. Currently, when sending an authentication request to the OpenID provider, one of the required parameters with the authentication code flow is "scope". However, for now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid".

The OpenID Connect specification indicate that there are other scope values which may be included in the authentication request. This new feature will add the ability to configure the scope attribute of the elytron-oidc-client subsystem under the secure-server and secure-deployment resources, so that additional scope values can be specified when configuring the server or the deployment settings.

The feature will allow the user to specify additional scope values in two ways:

• In an application’s oidc.json configuration file in the WEB-INF directory of the application,

• Adding configurations to the elytron-oidc-client subsystem under the secure-deployment and the 'secure-server' resource.

Issue Metadata

Issue

• WFLY-16532

• ELY-2574

Related Issues

• N/A

Dev Contacts

• Prarthona Paul

QE Contacts

• TBD

Testing By

• ✓ Engineering

• ❏ QE

Affected Projects or Components

• WildFly

• WildFly Elytron

Other Interested Projects

N/A

Relevant Installation Types

• ✓ Traditional standalone server (unzipped or provisioned by Galleon)

• ✓ Managed domain

• ✓ OpenShift s2i

• ✓ Bootable jar

Requirements

Hard Requirements

• A new attribute named scope will be added to the secure-deployment resource under the elytron-oidc-client subsystem, which will be used to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism.

• It must be possible to configure this attribute using cli commands. For example:

    /subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid offline_access")

• It must also be configured by specifying it in the deployment. This can be done using the oidc.json file inside the WEB-INF directory. For example:

    "scope" : "openid profile email offline_access"

• The OpenID Connect Specifications contain more details on optional scope values and using scope values to requst Offline Access.

• Scope values are to be saved as a list of space separated values inside quotes as seen in the examples above.

• When building the redirect URL, the scopes are to be added at the end as &scope=openid+profile+email+offline_access with the + as the delimiters replacing the spaces.

• Although OpenID Connect has a small set of scope values outlined in the documentation, there are additional scope values that can be configured depending on the OpenID provider. The scope attribute must accept additional scope values accepted by different OpenID providers.

Nice-to-Have Requirements

N/A

Non-Requirements

N/A

Backwards Compatibility

N/A

Default Configuration

The scope attribute would be undefined by default and in that case, the scope value would be hardcoded as scope=openid as before if the user does not configure any additional scope values.

Test Plan

• WildFly Elytron test suite: Test cases implemented for functionality.

• WildFly test suite: Ensuring the correct scope is specified in the authentication request and used when the scope attribute is changed. The token will be checked for the correct claims obtained using the scope values configured.

• Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration.

Community Documentation

Documentation for the new scope option will be added to Elytron OpenID Connect Client Subsystem Configuration.