diff --git a/elytron/WFLY-16532-additional-scope-for-auth-request.adoc b/elytron/WFLY-16532-additional-scope-for-auth-request.adoc new file mode 100644 index 000000000..fc8300ffa --- /dev/null +++ b/elytron/WFLY-16532-additional-scope-for-auth-request.adoc @@ -0,0 +1,134 @@ +== Adding the ability to configure additional scope value for an authentication request +:author: Prarthona Paul +:email: prpaul@redhat.com +:toc: left +:icons: font +:idprefix: +:idseparator: - + +== Overview + +OpenID Connect is an authentication mechanism that builds on OAuth 2.0 +and allows a user to login to a web application using credentials established +by an OpenID provider. +Currently, when sending an authentication request to the OpenID provider, one +of the required parameters with the authentication code flow is "scope". However, for +now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid". + +The https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest[OpenID Connect specification] indicate that there are other scope values which may be included in +the authentication request. This new feature will add the ability to configure the `scope` attribute +of the `elytron-oidc-client` subsystem, so that additional scope values can be specified when +configuring the server or the deployment settings. + +The feature will allow the user to specify additional scope values in two ways: + +* In an application's `oidc.json` configuration file in the `WEB-INF` directory of the application, + +* Adding configurations to the `elytron-oidc-client` subsystem under the `secure-deployment` resource. + +== Issue Metadata + +=== Issue + +* https://issues.redhat.com/browse/WFLY-16532[WFLY-16532] + +=== Related Issues + +* N/A + +=== Dev Contacts + +* mailto:{email}[{author}] + +=== QE Contacts + +* TBD + +=== Testing By +// Put an x in the relevant field to indicate if testing will be done by Engineering or QE. +// Discuss with QE during the Kickoff state to decide this +* [ ] Engineering + +* [ ] QE + +* TBD + +=== Affected Projects or Components + +* WildFly + +* WildFly Elytron + +=== Other Interested Projects + +N/A + +=== Relevant Installation Types + +* [x] Traditional standalone server (unzipped or provisioned by Galleon) + +* [x] Managed domain + +* [x] OpenShift s2i + +* [x] Bootable jar + +== Requirements + +=== Hard Requirements + +* A new attribute named `scope` will be added to the `secure-deployment` resource under the `elytron-oidc-client` subsystem, which will be used +to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism. + +* It must be possible to configure this attribute using the following command: + +``` + /subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid") +``` + +* It must also be configured by specifying it in the deployment. This can be done using the `oidc.json` file inside the `WEB-INF` directory as follows: + +``` + "scope" : "myClient, myclient@redhat.com, offline_access, openid" +``` + +* The OpenID Connect Specifications contain more details on https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[optional scope values] and https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[using scope values to requst Offline Access.] + +=== Nice-to-Have Requirements + +N/A + +=== Non-Requirements + +N/A + +=== Backwards Compatibility + +N/A + +=== Default Configuration + +The `scope` attribute would be undefined by default and in that case, the scope +would be hardcoded as `scope=openid` as before. + +//commenting these out for now. Will delete if we dont need it. +// === Importing Existing Configuration + +// === Deployments + +// === Interoperability + +// === Security Considerations + +== Test Plan + +* WildFly Elytron test suite: Test cases implemented for functionality. + +* WildFly test suite: Ensuring the correct scope if chosen and used when the `scope` attribute is +changed. + +* Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration. + +== Community Documentation + +Documentation for the new scope option will be added to https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc[Elytron OpenID Connect Client Subsystem Configuration].