Skip to Content.
Sympa Menu

oidc-deploy - Fwd: GEANT OIDC-work status

Subject: OIDC Deployment Working Group

List archive

Fwd: GEANT OIDC-work status


Chronological Thread 
  • From: Steven Carmody <>
  • To:
  • Subject: Fwd: GEANT OIDC-work status
  • Date: Wed, 15 Nov 2017 10:31:37 -0500
  • Ironport-phdr: 9a23:4Nf7WxLy43KhBB8VW9mcpTZWNBhigK39O0sv0rFitYgfL/rxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhicaOT437m/ZicJ+g6xUrx2juxNxzJXZYJ2WOfdkYq/RYd0XSGhHU81MVyJBGIS8b44XAuQcIeZXsZf9qEUIrRCjGwSjHvnvyjpPhnDr3awxzuMsERra3AM+AdIBrnLUo83pO6gIS+C1ya7IwijDbv5Nwjj98o/Icx4nof2WQ71/bNfRxFApGgjYgFuQronlMCmU1uQLq2Wb9OpgVeO0hGE8rAFxpiagxtssioXTgIIa1EzE+T1+wIYtO9K4Tk97bsO+HJtWqS6aK5N6QswjQ2F0uCY616YJtYSncygNzZQr3xHfZOKdfIiO/hLvTuGRIS13hH9jZbmxhA6y/FC+xuD9SsW50lNHriRGn9bXqnwA0hPe5tSbRvRg+0quxSqD2B3W5+xBP0w4i7fUJ4Y8zrIslZcfq0rOEyDslEnokqObdl8o9va15+nlZLjtu4WSOJVuig7kN6Qjgsy/Dvo8MggJR2Wb/P6z1Lzn/UHgWbVKkuE6nrDWsZzEO8gUu7S1AwBS0oYk5Ba/Cymp3M4EknkAKVJJYBOHj473NFHSOP30E/ayj0iunTpuyfDLPabuDonII3XMjLvtYaty5ktAxwYv0N9S4pdZBq8fLP3uQkPxscbXDh49Mwy62ebnD9B925sFWWKTHKCZLr3dsVmQ6e0zOeaMfooVuDHgJPkl/PPhlmU5mVgTfKmvx5cYdm23Hul+L0WDfXXsmssBEXsNvgcmTezqjkGNUTlWZ3a3WKI84Cs3CIW8DYfMX4yth72B0zqnEZFPe29JFEiMEXPvd4SEQPoMbCOSItR9kjwfS7StUY4h1ReytADk0bpnKPTb+jEGuZ75ytd6+vDTxlkO8mlzDsiWlm2AV2Vzj0sJQTQx2aV4pwp60FjQ/7J/hqljCdFN6vUBeQ4gMJnQ3qQuEMz/RA/HSdyAUlOhTsSOCys2UdR3ztMTNRUuU+6+hwzOinL5S4QekKaGUcQ5

Hi,

there's an interesting thread on the Shib-dev email list describing the GEANT supported work being done in Finland to add OIDC/OAuth2 support to Shib IDP v3. This is the first post in the thread, from the two developers.

The thread can be viewed here:

https://shibboleth.net/pipermail/dev/2017-November/009568.html


-------- Forwarded Message --------
Subject: GEANT OIDC-work status
Date: Mon, 13 Nov 2017 16:31:11 +0200
From: Henri Mikkonen
<>
Reply-To: Shib Dev
<>
To:


Hi,

Scott asked us to give a short status update to this list every now and then. So, here you are, a rough list of features we’ve been working on after summer. The list is not 100% accurate: purpose is to give you some kind of description where we are at the moment. Feel free to ask more details.

In overall, we aim at packaging an alpha version before end of the year, supporting standard implicit flow and dynamic client registration. We’ll test it against the OpenID foundation’s certification tool and some RPs, but naturally we welcome any help/input from you.

BR,
Henri & Janne

---

How to add RPs?

1. File system via JSON

- The implementation is very similar to Shib’s metadata resolvers, but we needed to fork the whole (abstract) class hierarchy from the root as the existing were based on SAML EntityDescriptors.

- Example “metadata” (serialized OIDCClientInformation class from Nimbus): https://github.com/CSCfi/shibboleth-idp-oidc-extension/blob/master/roles/oidc-extension/templates/oidc-client.json

2. Dynamic registration, https://openid.net/specs/openid-connect-registration-1_0.html

- The registered RPs are stored & obtained via StorageService (still on PoC-phase), seems to be compatible with Shib’s in-memory and JPA services.

- OIDCfed (spec by Roland Hedberg et al.) compatibility under construction now, need to be in testable shape before end of November: https://wiki.geant.org/display/gn42jra3/OIDCfed+Hackathon

---

Authorize flow

1. Implicit flow

- Fairly mature already, some certification tool steps (https://op.certification.openid.net:60000/) need still work / verification. The configuration we use for certifying our alpha version of OP is https://github.com/CSCfi/shibboleth-idp-oidc-extension/blob/master/roles/oidc-extension/templates/openid-configuration.

2. Security configuration - Id token signing

- See: https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/SecurityConfiguration

- JWK credential support. Using JWK credentials is not mandatory. Shibboleth signing configurations are used for determining the algorithm and algorithm support.

- “All” OIDC RSA, ES and HS signing configurations supported.

3. Attribute resolution

- https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeEncoderPluginConfiguration

- Encoders to support OIDC claims: string, int, boolean, array and simple JSON objects.

- More complex cases of JSON object still need work.

4. Attribute filtering

- https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeFilterConfiguration

- Policy for scopes and matcher for requested claims. Example filter explains a lot - https://github.com/CSCfi/shibboleth-idp-oidc-extension/blob/master/roles/oidc-extension/templates/attribute-filter.xml

- Filtering claim values based on requested claim values is still missing

5. Subject Identifier

- https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/SubjectIDConfiguration

- Shibboleth persistent name id generation mechanism is used for generating subject identifier. Subject Identifier configuration is independent of SAML name id configuration.
--
To unsubscribe from this list send an email to



Archive powered by MHonArc 2.6.19.

Top of Page