...
Each RP is defined with a JSON structure that is defined by the OpenID Connect Dynamic Client Registration 1.0 specification. That is, the format is just the format of the messages in that protocol. The required fields are:
Name | Type | Description |
---|---|---|
client_id | string | OIDC client identifier for the RP |
response_types | array of strings | Accepted client response types |
scope | string | Known scopes (space-delimited list in one string) |
redirect_uris | array of strings | Required redirect response locations for the RP |
Multiple RPs can be configured in a single file, and must be included in a JSON array.
...
Code Block | ||
---|---|---|
| ||
{ "client_id": "demo_rp", "response_types": ["id_token"], "scope": "openid info profile email address phone", "redirect_uris": ["https://192.168.0.150/static"], } |
An example with multiple RPs:
Code Block | ||
---|---|---|
| ||
[ { "client_id": "demo_rp", "response_types": ["id_token"], "scope": "openid info profile email address phone", "redirect_uris": ["https://192.168.0.150/static"], }, { "client_id": "demo_rp2", "response_types": ["id_token"], "scope": "openid info profile email address phone", "redirect_uris": ["https://192.168.0.150/static2"], } ] |
SAML/XML Format
The alternative format supported is a profile of SAML metadata described in OAuthRPMetadataProfile. This profile makes heavier use of extensions than past adaptations of SAML metadata because of the comparative complexity of OAuth and OIDC relative to simpler protocols that have more similarity to SAML.
...
If a secret value is prefixed by “{SHA2}”, then the supplied secret is hashed (with SHA-256) and base64-encoded before comparing it to the rest of the secret string. This is an unsalted hash so is not really suitable for exposing to offline attacks but is at least obsfuscated.
Reference
Beans
Name / Type | Description |
---|---|
shibboleth.oidc.ClientSecretValueResolvers List<net.shibboleth.oidc.metadata.ClientSecretValueResolver> | List of client secret resolvers to apply to any |
shibboleth.oidc.PropertiesClientSecretValueResolver net.shibboleth.oidc.metadata.impl.PropertiesClientSecretValueResolver | A resolver that looks for secrets in a Java properties file set via the |
shibboleth.oidc.ResolverServiceClientSecretValueResolver net.shibboleth.oidc.metadata.impl.ResolverServiceClientSecretValueResolver | A resolver that executes the AttributeResolver to resolve one or more client secrets via attributes set via the |