New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-17143] Add the ability to specify that the OIDC Authentication Request should include request and request_uri parameters #17219
base: main
Are you sure you want to change the base?
Conversation
Hello, PrarthonaPaul. I'm waiting for one of the admins to verify this patch with /ok-to-test in a comment. |
6138fc5
to
e7ba60f
Compare
e57cd77
to
d1b0fb5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Looks good! I just added some minor comments
<xs:annotation> | ||
<xs:documentation> | ||
<![CDATA[ | ||
The password for the client key. This is required if 'client-keystore' or 'client-keystore-file has been specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Total minor, missing ' at the end of 'client-keystore-file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
<xs:documentation> | ||
<![CDATA[ | ||
The content encryption algorithm used to encrypt the request object. The default value of this parameter | ||
is null, which indicates that the request object will not be encrypted. The "request-object-encryption-algorithm" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Total minor nitpick, maybe we should use the ' everywhere or " everywhere when referencing other attributes. Above for 'client-keystore' and 'client-keystore-file' you used ' and here for request-object-encryption-algorithm you used the "
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed! Changed it all to `
new SimpleAttributeDefinitionBuilder(ElytronOidcDescriptionConstants.REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM, ModelType.STRING, true) | ||
.setAllowExpression(true) | ||
.setValidator(new StringLengthValidator(1, Integer.MAX_VALUE, true, true)) | ||
.build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Just a minor, if the REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM attribute requires configuration of REQUEST_OBJECT_ENCRYPTION_ALGORITHM attribute as well, you might be able to use this here also:
.setRequires(ElytronOidcDescriptionConstants.REQUEST_OBJECT_ENCRYPTION_ALGORITHM)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
Added it to both REQUEST_OBJECT_ENCRYPTION_ALGORITHM and REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM
new SimpleAttributeDefinitionBuilder(ElytronOidcDescriptionConstants.AUTHENTICATION_REQUEST_FORMAT, ModelType.STRING, true) | ||
.setAllowExpression(true) | ||
.setDefaultValue(new ModelNode("oauth2")) | ||
.setAllowedValues("oauth2", "request", "request_uri") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor, we should make constants out of oauth2, request and request_uri . You can place them to ElytronOidcDescriptionConstants
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
Thank you for your feedback
c7a0033
to
0dd0234
Compare
/ok-to-test |
0dd0234
to
99c776c
Compare
protected static final SimpleAttributeDefinition REQUEST_OBJECT_SIGNING_ALGORITHM = | ||
new SimpleAttributeDefinitionBuilder(ElytronOidcDescriptionConstants.REQUEST_OBJECT_SIGNING_ALGORITHM, ModelType.STRING, true) | ||
.setAllowExpression(true) | ||
.setDefaultValue(new ModelNode("none")) // plaintext jwt to be sent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use the Elytron Oidc constant instead of the string "none".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I dont have them in OIdc anymore, can I use the AlgorithmIdentifier.None?
99c776c
to
518fa48
Compare
054e8f5
to
a99104c
Compare
9a3137f
to
05c177e
Compare
a39fddf
to
d338708
Compare
d338708
to
3456f43
Compare
440a11a
to
9145b14
Compare
04fa03f
to
b18b922
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul I've just added a comment on the Elytron PR about an alternative approach we could take for handling unsupported attributes in the oidc.json
deployment descriptor file. I think we can handle that from OidcActivationProcessor
instead of adding new logic to Elytron to handle unsupported attributes:
5f48151
to
a4e38c2
Compare
e1eea7e
to
c0526b9
Compare
@@ -17,8 +17,9 @@ enum ElytronOidcClientSubsystemModel implements SubsystemModel { | |||
VERSION_1_0_0(1, 0, 0), | |||
VERSION_2_0_0(2, 0, 0), | |||
VERSION_3_0_0(3, 0, 0), // WildFly 32.0-present | |||
VERSION_4_0_0(4, 0, 0), // WildFly 34.0-present |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WildFly 33
…Request should include request and request_uri parameters
…ng OpenID Connect
Analysis doc: wildfly/wildfly-proposals#532
WFLY Issue: https://issues.redhat.com/browse/WFLY-17143
Related ELY Issue: https://issues.redhat.com/browse/ELY-2584
Depends on: wildfly-security/wildfly-elytron#1984
Depends on: #16997
Relevant discussion page:
More information about the wildfly-bot[bot]