Second alpha release

Features

Dynamic Registration

Related specification: https://openid.net/specs/openid-connect-registration-1_0.html

• List of verified & stored claims
  • scope
  • redirect_uris
  • application_type
  • contacts
  • response_types
  • grant_types (implicit, authorization_code, refresh_token)
  • subject_type
  • jwks and jwks_uri
  • token_endpoint_auth_method
  • logo_uri
  • policy_uri
  • tos_uri
  • client_secret generation & storage in plaintext
• Only “open registration” currently supported (the RPs are not authenticated in any way)
  • Use “shibboleth.UnverifiedRelyingParty" -bean in relying-party.xml

Webfinger

Related specification: https://openid.net/specs/openid-connect-discovery-1_0.html

Flow /oidc/webfinger contains simplified WebFinger implementation that always responds with the requested resource without any kind of verification.

Authorization and Token endpoints

Related specification: http://openid.net/specs/openid-connect-core-1_0.html#Authentication

New features since v0.5.0a:

• New supported response types are “code”, “token id_token”, “code id_token”, “code token” and “code token id_token”. Supported response types cover now all implicit, authorization code and hybrid types.
• Authorization Code and Access Token are themselves completely stateless. There is however replay and revocation caches for them that need to be taken into account in clustering.
• Authorization endpoint populates some OIDC metadata fields to RpUIContext that can be rendered for instance in the login view
• New Token endpoint. Token endpoint supports all client authentication methods “client_secret_basic”, “client_secret_post”, “client_secret_jwt” and “private_key_jwt”.

Known shortcomings / features not yet supported. List is not comprehensive.

• Request object is not supported
• Grant type “refresh_token” is not supported
• Encryption of ID Token is not supported
• Prompt values ‘consent’ and ‘select_account’ are ignored.
• If prompt is set to ‘none’, user may still be presented with attribute release content page

UserInfo endpoint

Related specification: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

• UserInfo endpoint introduced in this release has own profile configuration that may be disabled in relying party configuration.
• Releases claims based on attribute filtering of the original authentication request. Claim splitting between ID Token and UserInfo endpoints is supported.

Known shortcomings / features not yet supported. List is not comprehensive.

• Encryption and Signing of the response is not supported

Installation

The recommended way to test alpha release is to deploy it using the provided ansible scripts to vagrant. You may edit the script to install it to cloud or install it manually on top of existing shibboleth idp test installation but the support for doing that will be very limited from us. We are interested in hearing on your experiences though if you choose to go that way.

Vagrant deployment is described on https://github.com/CSCfi/shibboleth-idp-oidc-extension
Tested with Vagrant versions 1.9.5 & 2.0.1
Tested with Ansible version 2.3.0 & 2.4.1

Feedback

Feedback is preferred in the form of GitHub issues if applicable.

• We would like to hear about oidc conformance
• We would like to hear about configuring oidc
  • The alpha release already should be very shibboleth like when it comes to configuring it, it should not feel like something glued on top of it. If you find that configuring oidc extension is not what you would expect, we would like to hear about it. The configuration options are described in the wiki https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki
• Bugs in general
  • We have not intentionally left any bugs for you to find. If you find any, we would like to hear about it.
• Installation
  • Installation has not been yet on our focus and we understand this alpha release will not reflect final product on that area. It is however interesting to hear if you have a view on how the installation should be done.