Versions Compared

Old Version 23

changes.mady.by.user Henri Mikkonen

Saved on

compared with

New Version Current

changes.mady.by.user Jonathan Zhao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Each RP is defined with a JSON structure that is defined by the OpenID Connect Dynamic Client Registration 1.0 specification. That is, the format is just the format of the messages in that protocol. The required fields are:

Name

Type

Description

client_id

string

OIDC client identifier for the RP

response_types

array of strings

Accepted client response types

scope

string

Known scopes (space-delimited list in one string)

redirect_uris

array of strings

Required redirect response locations for the RP

Multiple RPs can be configured in a single file, and must be included in a JSON array.

...

Code Block
languagejs
{
    "client_id": "demo_rp",
    "response_types": ["id_token"],
    "scope": "openid info profile email address phone",
    "redirect_uris": ["https://192.168.0.150/static"],
}

An example with multiple RPs:

Code Block
languagejs
[
	{
	    "client_id": "demo_rp",
	    "response_types": ["id_token"],
	    "scope": "openid info profile email address phone",
	    "redirect_uris": ["https://192.168.0.150/static"],
	},
    {
        "client_id": "demo_rp2",
        "response_types": ["id_token"],
        "scope": "openid info profile email address phone",
        "redirect_uris": ["https://192.168.0.150/static2"],
    }
]

SAML/XML Format

The alternative format supported is a profile of SAML metadata described in OAuthRPMetadataProfile. This profile makes heavier use of extensions than past adaptations of SAML metadata because of the comparative complexity of OAuth and OIDC relative to simpler protocols that have more similarity to SAML.

...

If a secret value is prefixed by “{SHA2}”, then the supplied secret is hashed (with SHA-256) and base64-encoded before comparing it to the rest of the secret string. This is an unsalted hash so is not really suitable for exposing to offline attacks but is at least obsfuscated.

Reference

Beans

Name / Type

Description

shibboleth.oidc.ClientSecretValueResolvers

List<net.shibboleth.oidc.metadata.ClientSecretValueResolver>

List of client secret resolvers to apply to any <oidcmd:ClientSecretKeyReference> elements in SAML metadata

shibboleth.oidc.PropertiesClientSecretValueResolver

net.shibboleth.oidc.metadata.impl.PropertiesClientSecretValueResolver

A resolver that looks for secrets in a Java properties file set via the resource bean property

shibboleth.oidc.ResolverServiceClientSecretValueResolver

net.shibboleth.oidc.metadata.impl.ResolverServiceClientSecretValueResolver

A resolver that executes the AttributeResolver to resolve one or more client secrets via attributes set via the attributeIds bean property