diff --git a/elytron/WFLY-16532-additional-scope-for-auth-request.adoc b/elytron/WFLY-16532-additional-scope-for-auth-request.adoc new file mode 100644 index 000000000..049b0baab --- /dev/null +++ b/elytron/WFLY-16532-additional-scope-for-auth-request.adoc @@ -0,0 +1,129 @@ +== Adding the ability to configure additional scope for authentication request +:author: Prarthona Paul +:email: prpaul@redhat.com +:toc: left +:icons: font +:idprefix: +:idseparator: - + +== Overview + +OpenID Connect is an authentication mechanism that builds on OAuth 2.0 +and allows a user to login to a web application using credentials established +by an OpenID provider. +Currently, when sending an authentication request to the OpenID provider, one +of the required parameters with the authentication flow is "scope". However, for +now, that value is hardcoded as just "openid". + +The specifications indicate that there are other scope values which may be included in +the authentication request. This new feature adds the ability to configure the `scope` attribute +of the `elytron-oidc-client` subsystem, so that those additional parameters can be specified when +configuring the server. + +The feature will allow the user to configure the server in two ways: + +* In an application's oidc.json file + +* in the elytron-oidc-client subsystem configuration in the secure-deployment resource + +== Issue Metadata + +=== Issue + +* https://issues.redhat.com/browse/WFLY-16532[WFLY-16532] + +=== Related Issues + +* N/A + +=== Dev Contacts + +* mailto:{email}[{author}] + +=== QE Contacts + +* TBD + +=== Testing By +// Put an x in the relevant field to indicate if testing will be done by Engineering or QE. +// Discuss with QE during the Kickoff state to decide this +* [ ] Engineering + +* [ ] QE + +* TBD + +=== Affected Projects or Components + +* WildFly + +* WildFly-elytron + +=== Other Interested Projects + +N/A + +=== Relevant Installation Types + +* [x] Traditional standalone server (unzipped or provisioned by Galleon) + +* [x] Managed domain + +* [x] OpenShift s2i + +* [x] Bootable jar + +== Requirements + +=== Hard Requirements + +* A new `scope` resource added to the `elytron-oidc-client` subsystem, which will be used +to configure the scope attribute of the oidc client. + +* It must be possible to configure this attribute using the following command: + +``` +/subsystem=elytron-oidc-client=my-oidc-client:write-attribute(name=scope, value=openid) +``` + +* It must also be configured using the `oidc.json` file as follows: +``` +"scope" : "%20offline_access%20openid" +``` + +=== Nice-to-Have Requirements + +N/A + +=== Non-Requirements + +N/A + +=== Backwards Compatibility + +N/A + +=== Default Configuration + +The `scope` attribute would be undefined by default and in that case, the scope +would be hardcoded as `scope=openid` as before. + +//commenting these out for now. Will delete if we dont need it. +// === Importing Existing Configuration + +// === Deployments + +// === Interoperability + +// === Security Considerations + +== Test Plan + +* Wildfly Elytron test suit: Test cases implemented for functionality. + +* WildFly test suite: Ensuring the correct scope if chosen and used when the `scope` attribute is +changed. + +== Community Documentation + +Documentation will be added to https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_elytron/Keycloak_Integration.adoc[Elytron's Keycloak Integration Documentation].