Issues
- Release JDBC Plugin 2.1.0JJDBC-32Philip Smart
- Setter method for query timeout in JDBCStorageServiceJJDBC-31Resolved issue: JJDBC-31Rod Widdowson
- Incomplete SQL transaction in create()JJDBC-30Resolved issue: JJDBC-30
- Version 2.0.1 is OutOfDateJJDBC-29Resolved issue: JJDBC-29Scott Cantor
- Release JDBC Plugin 2.0.1JJDBC-28Resolved issue: JJDBC-28Rod Widdowson
- __Host-shib_idp_session cookie is not created when using the JDBCStorageService and OIDCJJDBC-27Resolved issue: JJDBC-27
- Version comparisons are incorrectly implementedJJDBC-26Resolved issue: JJDBC-26Rod Widdowson
- Statements are not closed after execution in all casesJJDBC-25Resolved issue: JJDBC-25Rod Widdowson
- StorageRecords table name should be case sensitiveJJDBC-24Resolved issue: JJDBC-24Rod Widdowson
- JDBC-DIST is deploying to an odd nameJJDBC-23Resolved issue: JJDBC-23Rod Widdowson
- Release V2.0.0JJDBC-22Resolved issue: JJDBC-22Rod Widdowson
- Possible issues with expiration logicJJDBC-21Resolved issue: JJDBC-21Rod Widdowson
- Extend to support EnumeratableStorageService interfaceJJDBC-20Resolved issue: JJDBC-20Scott Cantor
- Re-introduction of https://shibboleth.atlassian.net/browse/IDP-1020 ?JJDBC-19Resolved issue: JJDBC-19
- Java 17 Stack WorkJJDBC-18Resolved issue: JJDBC-18Rod Widdowson
- ERROR when JSON Parsing with MS SQL ServerJJDBC-17Resolved issue: JJDBC-17Rod Widdowson
- Release Version 1.0.4JJDBC-16Resolved issue: JJDBC-16Rod Widdowson
- PostGreSQL: InputOutputError upon Logout, autoCommit enabledJJDBC-15Resolved issue: JJDBC-15Rod Widdowson
- Remove StorageCapabilitiesEx reference when revised for V5JJDBC-14Resolved issue: JJDBC-14Rod Widdowson
- Release Version 1.0.3JJDBC-13Resolved issue: JJDBC-13Rod Widdowson
- Context Size claims to be too small for StorageBackedSessionManagerJJDBC-12Resolved issue: JJDBC-12Rod Widdowson
- Nightly Build failedJJDBC-11Resolved issue: JJDBC-11Rod Widdowson
- Add column names to (default) CREATE statementJJDBC-10Resolved issue: JJDBC-10Rod Widdowson
- Release Version 1.0.2JJDBC-9Resolved issue: JJDBC-9Rod Widdowson
- Update with no expiration failsJJDBC-8Resolved issue: JJDBC-8Rod Widdowson
- Version stuck at 1.0.0JJDBC-7Resolved issue: JJDBC-7Rod Widdowson
- Release Version 1.0.1JJDBC-6Resolved issue: JJDBC-6Rod Widdowson
- Unable to install JDBC Plugin in idp4.1.0 or 4.2.1JJDBC-5Resolved issue: JJDBC-5Rod Widdowson
- Output artefact should be the final oneJJDBC-4Resolved issue: JJDBC-4Rod Widdowson
- Align configuration with StoredIdConnectionJJDBC-3Resolved issue: JJDBC-3Rod Widdowson
- Add case sensitivity testing to verificationJJDBC-2Resolved issue: JJDBC-2Rod Widdowson
- Release JDBCStorageService V1.0JJDBC-1Resolved issue: JJDBC-1Scott Cantor
Support additional refresh token types
Description
Environment
is blocked by
Details
Assignee
Henri MikkonenHenri MikkonenReporter
Henri MikkonenHenri MikkonenFix versions
Details
Details
Assignee
Reporter
Fix versions
Activity
Henri MikkonenMarch 22, 2024 at 7:50 AM
After discussion with , refactored the bean-injection to the map of serializers and the list of deserializers. This way we make sure that the beans that get injected are prototypes. That may not always be required, but the message handlers may be stateful.
The beans are injected via two factories (new global beans):
shibboleth.oidc.RefreshTokenSerializerFactory
shibboleth.oidc.RefreshTokenDeserializerFactory
Those can be adjusted with two constructor parameters:
id: the id for the bean to be wired
allowNonPrototype: whether to allow non-prototype beans, defaults to false. The factory will return
nullif this is false but the injected bean is not prototype.
Henri MikkonenJanuary 19, 2024 at 6:32 AM
Added two new beans that are wired to the actions dealing with refresh tokens:
shibboleth.oidc.DefaultRefreshTokenSerializationStrategies (in token beans)
Map of serialization strategies (keyed with the refresh token type)
Serializer:
BiFunction<ProfileRequestContext,RefreshTokenClaimsSet,String>Custom map can be wired via
idp.oauth2.refreshToken.serializationStrategies-property
shibboleth.oidc.DefaultRefreshTokenDeserializers (in abstract beans)
List of deserializers
Deserializer:
BiFunction<ProfileRequestContext,String,RefreshTokenClaimsSet>Used by token, introspection and revocation flow
Custom list can be wired via
idp.oauth2.refreshToken.deserializers-property
Henri MikkonenDecember 8, 2023 at 2:01 PM
I drafted a prototype on this by modifying SetRefreshTokenToResponseContext action to be wired with refreshTokenSerializationStrategies: (Map<String, BiFunction<ProfileRequestContext,RefreshTokenClaimsSet,String>>). The key refers to the refresh token type (a new profile configuration option) and value to the bi-function that encodes the given RefreshTokenClaimsSet into a String that’s sent to back to the RP in the token endpoint.
The example bi-function for producing JWT refresh tokens seems to be fairly simple to implement by exploiting PopulateJWTSignatureSigningParametersHandler for building the SecurityParametersContext with SignatureSigningParameters, which is fed to the JWSTokenSigner for signing.
The deserialisation of incoming refresh tokens could be configured in a similar way: with a map of Strings (refresh token types) to (bi-)functions. That would need to be wired to ValidateGrant action (that validates the refresh token grant in the token endpoint) and for AbstractProcessTokenAction to provide compatibility with the introspection and revocation endpoints.
The refresh tokens are currently always encoded as opaque strings that contains all the state information in an internal JSON format, encrypted via DataSealer.
For instance the Italian CIE OIDC federation requires refresh tokens to be in JWT-format. Similarly to access tokens, we could support a
refreshTokenTypeprofile configuration option in order to configure refresh token types per relying party.Ideally the configuration option wouldn’t be limited to opaque and JWT types: it should offer means to inject fully customisable types, optionally exploiting server-side storage for the state.