Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WFLY-16532] Add the ability to configure additional scope values for…
… an authentication request
- Loading branch information
1 parent
0b96497
commit 5622c0a
Showing
1 changed file
with
130 additions
and
0 deletions.
There are no files selected for viewing
130 changes: 130 additions & 0 deletions
130
elytron/WFLY-16532-additional-scope-for-auth-request.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| == Adding the ability to configure additional scope value for an authentication request | ||
| :author: Prarthona Paul | ||
| :email: prpaul@redhat.com | ||
| :toc: left | ||
| :icons: font | ||
| :idprefix: | ||
| :idseparator: - | ||
|
|
||
| == Overview | ||
|
|
||
| OpenID Connect is an authentication mechanism that builds on OAuth 2.0 | ||
| and allows a user to login to a web application using credentials established | ||
| by an OpenID provider. | ||
| Currently, when sending an authentication request to the OpenID provider, one | ||
| of the required parameters with the authentication code flow is "scope". However, for | ||
| now, the Elytron OIDC HTTP authentication mechanism hardcodes this value to just "openid". | ||
|
|
||
| The https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest[OpenID Connect specification] indicate that there are other scope values which may be included in | ||
| the authentication request. This new feature will add the ability to configure the `scope` attribute | ||
| of the `elytron-oidc-client` subsystem, so that additional scope values can be specified when | ||
| configuring the server or the deployment settings. | ||
|
|
||
| The feature will allow the user to specify additional scope values in two ways: | ||
|
|
||
| * In an application's `oidc.json` configuration file in the `WEB-INF` directory of the application, | ||
|
|
||
| * Adding configurations to the `elytron-oidc-client` subsystem under the `secure-deployment` resource. | ||
|
|
||
| == Issue Metadata | ||
|
|
||
| === Issue | ||
|
|
||
| * https://issues.redhat.com/browse/WFLY-16532[WFLY-16532] | ||
|
|
||
| * https://issues.redhat.com/browse/ELY-2574[ELY-2574] | ||
|
|
||
|
|
||
| === Related Issues | ||
|
|
||
| * N/A | ||
|
|
||
| === Dev Contacts | ||
|
|
||
| * mailto:{email}[{author}] | ||
|
|
||
| === QE Contacts | ||
|
|
||
| * TBD | ||
|
|
||
| === Testing By | ||
| // Put an x in the relevant field to indicate if testing will be done by Engineering or QE. | ||
| // Discuss with QE during the Kickoff state to decide this | ||
| * [x] Engineering | ||
|
|
||
| * [ ] QE | ||
|
|
||
| === Affected Projects or Components | ||
|
|
||
| * WildFly | ||
|
|
||
| * WildFly Elytron | ||
|
|
||
| === Other Interested Projects | ||
|
|
||
| N/A | ||
|
|
||
| === Relevant Installation Types | ||
|
|
||
| * [x] Traditional standalone server (unzipped or provisioned by Galleon) | ||
|
|
||
| * [x] Managed domain | ||
|
|
||
| * [x] OpenShift s2i | ||
|
|
||
| * [x] Bootable jar | ||
|
|
||
| == Requirements | ||
|
|
||
| === Hard Requirements | ||
|
|
||
| * A new attribute named `scope` will be added to the `secure-deployment` resource under the `elytron-oidc-client` subsystem, which will be used | ||
| to specify additional scope values. These values will be used by the Elytron HTTP OIDC authentication mechanism. | ||
|
|
||
| * It must be possible to configure this attribute using cli commands. For example: | ||
|
|
||
| ``` | ||
| /subsystem=elytron-oidc-client/secure-deployment=my-secure-deployment:write-attribute(name=scope, value="openid, offline_access") | ||
| ``` | ||
|
|
||
| * It must also be configured by specifying it in the deployment. This can be done using the `oidc.json` file inside the `WEB-INF` directory. For example: | ||
|
|
||
| ``` | ||
| "scope" : "profile, email, offline_access, openid" | ||
| ``` | ||
|
|
||
| * The OpenID Connect Specifications contain more details on https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[optional scope values] and https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[using scope values to requst Offline Access.] | ||
|
|
||
| * Scope values are to be saved as a list of comma separated values inside quotes as seen in the examples above. | ||
|
|
||
| * When building the redirect URL, the scopes are to be added at the end as `&scope=openid%20profile%20email%20offline_access` with the `%20` as the delimiters replacing the spaces as outlined in the https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest[openID docs]. However, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#get-an-access-token-for-the-userinfo-endpoint[Microsoft Azure] expects `+` as the delimiter instead. | ||
|
|
||
| === Nice-to-Have Requirements | ||
|
|
||
| N/A | ||
|
|
||
| === Non-Requirements | ||
|
|
||
| N/A | ||
|
|
||
| === Backwards Compatibility | ||
|
|
||
| N/A | ||
|
|
||
| === Default Configuration | ||
|
|
||
| The `scope` attribute would be undefined by default and in that case, the scope value | ||
| would be hardcoded as `scope=openid` as before. | ||
|
|
||
| == Test Plan | ||
|
|
||
| * WildFly Elytron test suite: Test cases implemented for functionality. | ||
|
|
||
| * WildFly test suite: Ensuring the correct scope if chosen and used when the `scope` attribute is | ||
| changed. | ||
|
|
||
| * Tests will be added for the case where the scope is specified in the subsystem configuration and for the case where it is specified in the deployment configuration. | ||
|
|
||
| == Community Documentation | ||
|
|
||
| Documentation for the new scope option will be added to https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc[Elytron OpenID Connect Client Subsystem Configuration]. |