Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Improve scope resolution for Authentication Requests

Description

Currently, requested scopes for an OP are defined in OIDC client information metadata e.g.

The scopes are pulled off the resolved client information metadata during authentication request constructions. This is deficient because:

  1. It just pulls them off the client information object, the RP does not have a pluggable resolver type implementation. We could add one when everything else is in place, perhaps.

  2. It is global for all users of that RP->OP pair. It might need to be more granular - although the RP does not know anything about the user at this stage.

    1. A similar work item in the OP already exists JIRA??

Environment

None

Activity

Show:

Philip SmartOctober 14, 2022 at 1:29 PM

Completed by using the profile configuration

Philip SmartOctober 14, 2022 at 1:28 PM

All RP client config like this is now attached to the profile configuration, so I am closing this issue.

Philip SmartMarch 18, 2022 at 11:39 AM

Given this has progressed beyond just scopes. I created an issue for a client_id resolver in and client_authentication resolver in .

Philip SmartFebruary 18, 2022 at 2:41 PM

Yeah, the RP to OP coupling is not great, especially as the OP is responsible for telling the RP who it is (giving out its client_id).

Scott CantorFebruary 18, 2022 at 2:23 PM

One way of dealing with it might be to stick some sort of credential resolver notion into the profile config (or security config as you note) and having that “resolve” the right ID and secret to use. That could be backed by a simple map for most cases or support storage-backed for a dynamic registration later on.

Completed

Details

Assignee

Reporter

Components

Created February 17, 2022 at 3:58 PM
Updated October 14, 2022 at 1:29 PM
Resolved October 14, 2022 at 1:29 PM