[WFLY-16532] Add the ability to configure additional scope values for…

… an authentication request
wildfly · Jul 26, 2023 · 1fbf386 · 1fbf386
1 parent 0b96497
commit 1fbf386
Showing 1 changed file with 131 additions and 0 deletions.
diff --git a/elytron/WFLY-16532-additional-scope-for-auth-request.adoc b/elytron/WFLY-16532-additional-scope-for-auth-request.adoc
@@ -0,0 +1,131 @@
+== Adding the ability to configure additional scope value for an authentication request
+:author:            Prarthona Paul
+:email:             prpaul@redhat.com
+:toc:               left
+:icons:             font
+:idprefix:
+:idseparator:       -
+
+== Overview
+
+OpenID Connect is an authentication mechanism that builds on OAuth 2.0 
+and allows a user to login to a web application using credentials established 
+by an OpenID provider. 
+Currently, when sending an authentication request to the OpenID provider, one 
+of the required parameters with the authentication code flow is "scope". However, for 
+now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid".
+
+The https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest[OpenID Connect specification] indicate that there are other scope values which may be included in 
+the authentication request. This new feature will add the ability to configure the `scope` attribute
+of the `elytron-oidc-client` subsystem under the `secure-server` and `secure-deployment` resources, so that additional scope values can be specified when 
+configuring the server or the deployment settings. 
+
+The feature will allow the user to specify additional scope values in two ways: 
+
+* In an application's `oidc.json` configuration file in the `WEB-INF` directory of the application,
+
+* Adding configurations to the `elytron-oidc-client` subsystem under the `secure-deployment` and the 'secure-server' resource.
+
+== Issue Metadata
+
+=== Issue
+
+* https://issues.redhat.com/browse/WFLY-16532[WFLY-16532]
+
+* https://issues.redhat.com/browse/ELY-2574[ELY-2574]
+
+
+=== Related Issues
+
+* N/A
+
+=== Dev Contacts
+
+* mailto:{email}[{author}]
+
+=== QE Contacts
+
+* TBD
+
+=== Testing By
+// Put an x in the relevant field to indicate if testing will be done by Engineering or QE. 
+// Discuss with QE during the Kickoff state to decide this
+* [x] Engineering
+
+* [ ] QE
+
+=== Affected Projects or Components
+
+* WildFly
+
+* WildFly Elytron
+
+=== Other Interested Projects
+
+N/A
+
+=== Relevant Installation Types
+
+* [x] Traditional standalone server (unzipped or provisioned by Galleon)
+
+* [x] Managed domain
+
+* [x] OpenShift s2i
+
+* [x] Bootable jar
+
+== Requirements
+
+=== Hard Requirements
+
+* A new attribute named `scope` will be added to the `secure-deployment` resource under the `elytron-oidc-client` subsystem, which will be used 
+to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism.  
+
+* It must be possible to configure this attribute using cli commands. For example: 
+
+```
+    /subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid offline_access")
+```
+
+* It must also be configured by specifying it in the deployment. This can be done using the `oidc.json` file inside the `WEB-INF` directory. For example: 
+
+```
+    "scope" : "openid profile email offline_access"
+```
+
+* The OpenID Connect Specifications contain more details on https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[optional scope values] and https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[using scope values to requst Offline Access.]
+
+* Scope values are to be saved as a list of space separated values inside quotes as seen in the examples above.  
+
+* When building the redirect URL, the scopes are to be added at the end as `&scope=openid+profile+email+offline_access` with the `+` as the delimiters replacing the spaces. 
+
+* Although OpenID Connect has a small set of scope values outlined in the https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[documentation], there are additional scope values that can be configured depending on the OpenID provider. The scope attribute must accept additional scope values accepted by different OpenID providers. 
+
+=== Nice-to-Have Requirements
+
+N/A
+
+=== Non-Requirements
+
+N/A
+
+=== Backwards Compatibility
+
+N/A
+
+=== Default Configuration
+
+The `scope` attribute would be undefined by default and in that case, the scope value
+would be hardcoded as `scope=openid` as before if the user does not configure any additional scope values. 
+
+== Test Plan
+
+* WildFly Elytron test suite: Test cases implemented for functionality. 
+
+* WildFly test suite: Ensuring the correct scope is specified in the authentication request and used when the `scope` attribute is changed. The token will be checked for the correct claims obtained using the scope values configured.
+
+* Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration. 
+
+== Community Documentation
+
+Documentation for the new scope option will be added to https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc[Elytron OpenID Connect Client Subsystem Configuration].