Starting with V3.1, the OP plugin automatically registers a configurable Filter attached to its endpoints.
Activation
The filter registration is enabled by default, but the feature can be deactivated via a Java system property:
-Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer=disabled
Filter Mappings
By default, the filter is mapped to all /profile/oidc/* and /profile/oauth2/* endpoints, but the list can be customized via a space-separated list in the net.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer.mappings Java system property.
For instance, to register the filter for /profile/custom/* endpoints as well, the following system property would be declared:
"-Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer.mappings=/profile/oauth2/* /profile/oidc/* /profile/custom/*"
Filter Configuration
The filter is configured by defining a bean named via the idp.oidc.ResponseHeaderFilter property.
One example use case is to register custom HTTP response headers. In order to add the same HTTP headers that are by default added to the SAML and CAS endpoints, the idp.oidc.ResponseHeaderFilter property would be set to shibboleth.ResponseHeaderFilter:
idp.oidc.ResponseHeaderFilter = shibboleth.ResponseHeaderFilter
By default, this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers (see PropertyReference ) and applies them to the OP plugin as well as the original IdP endpoints.