Skip to content

1.0.0
Compare
Choose a tag to compare
@jalauros jalauros released this 02 Apr 09:56
· 36 commits to master since this release
v1.0.0
7ac2e21

Features

Dynamic Registration

Related specification: https://openid.net/specs/openid-connect-registration-1_0.html

  • List of verified & stored claims
    • scope
    • redirect_uris
    • application_type
    • contacts
    • response_types
    • grant_types (implicit, authorization_code, refresh_token)
    • subject_type
    • jwks and jwks_uri
    • token_endpoint_auth_method
    • logo_uri
    • policy_uri
    • tos_uri
    • userinfo_signed_response_alg
    • client_secret generation & storage in plaintext
  • Only “open registration” currently supported (the RPs are not authenticated in any way)
    • Use “shibboleth.UnverifiedRelyingParty" -bean in relying-party.xml

OP Discovery

Related specification: https://openid.net/specs/openid-connect-discovery-1_0.html

Flow flows/oidc/webfinger contains simplified WebFinger implementation that always responds with the requested resource without any kind of verification.

Flow flows/oidc/discovery contains building blocks to dynamically build desired set of the openid-configuration claims on top of static file.

Token Revocation

See https://tools.ietf.org/html/rfc7009.

Authorization, Token and UserInfo endpoints

Related specification: http://openid.net/specs/openid-connect-core-1_0.html

  • response types supported

    • code
    • id_token
    • token id_token
    • code id_token
    • code token
    • code token id_token

  • subject types supported

    • public
    • pairwise

  • response_modes_supported

    • query
    • fragment
    • form_post

  • grant types supported

    • authorization_code
    • implicit
    • refresh_token

  • claims parameter supported

  • request parameter supported

  • request_uri parameter supported

  • id token encryption and signing supported

  • userinfo response encryption and signing supported

  • request object decryption and signature validation supported. Algorithm "none" may be used if registered for the client.

Algorithms supported are:

  • encryption 'alg' values supported

    • RSA1_5
    • RSA-OAEP
    • RSA-OAEP-256
    • A128KW
    • A192KW
    • A256KW

  • encryption 'enc' values supported

    • A128CBC-HS256
    • A192CBC-HS384
    • A256CBC-HS512
    • A128GCM
    • A192GCM
    • A256GCM

  • signing 'alg' values supported

    • RS256
    • RS384
    • RS512
    • HS256
    • HS384
    • HS512
    • ES256
    • ES384
    • ES512

  • token endpoint auth methods supported

    • client_secret_basic
    • client_secret_post
    • client_secret_jwt
    • private_key_jwt

Installation

The installation process is decribed in https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-from-archive. You may use the provided Ansible scripts to deploy a Vagrant VM for your testing purposes.

Feedback

We are following shibboleth users and developers list. Please use that for support requests. When you encounter a bug or have a request for feature you may enter it to GitHub project as an issue.

Assets 4
Loading