File(s): conf/oidc-clientinfo-resolvers.xml, conf/metadata-providers.xml
Format: Native Spring, Custom
Table of Contents |
---|
Overview
There are two distinct ways the OP plugin resolves client (RP) details at runtime in order to apply policy to and process requests:
SAML metadata resolution
OIDC client information resolution
SAML metadata resolution is identical to, and configured in exactly the same way as, all other uses for SAML metadata. This method is managed by the IdP's MetadataConfiguration and supports all existing metadata provider types. This method obviously only applies when client information is managed using SAML metadata (see OPMetadataClientRegistration).
The older code from earlier versions of the plugin, which supports both JSON-formatted metadata and dynamic client registration, relies on a couple of implementations of a separate component called a "ClientInformationResolver", which is specific to OIDC and only supports a couple of simple resolver variants.
Both methods are used automatically, with the older OIDC client resolution methods attempted first (if any are configured).
Configuration
Client information resolvers are configured using a new/dedicated reloadable service named "shibboleth.ClientInformationResolverService", which by default relies on the file conf/oidc-clientinfo-resolvers.xml for configuration. Because there are vastly fewer options and types of resolvers, a native Spring configuration file is used instead of a custom XML syntax.
The bean shibboleth.oidc.ClientInformationResolvers defines the set of resolvers to use, in order, to locate client metadata. The two types of resolvers suported and their options are below.
Expand | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
For use with dynamic client registration, resolvers using the parent beanĀ shibboleth.oidc.StorageClientInformationResolver use a StorageService to locate client metadata. A single, required bean property is supported:
Exampleconf/oidc-clientinfo-resolvers.xml
|
Expand | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||
For use with JSON metadata-based client registration, resolvers using the parent bean shibboleth.oidc.FilesystemClientInformationResolver load metadata from a Spring Resource. Technically this is not limited to the local file system but in practice that is the intent. The bean requires a single constructor argument, the Resource to load. Supported, but optional, bean properties are:
Exampleconf/oidc-clientinfo-resolvers.xml
|
Reference
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
Properties related to the client resolution service are:
|
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
Beans defined in, or for use in, conf/oidc-clientinforesolvers.xml are:
|