File(s): conf/oidc-clientinfo-resolvers.xml, conf/metadata-providers.xml
Format: Native Spring, Custom
Overview
There are two distinct ways the OP plugin resolves client (RP) details at runtime in order to apply policy to and process requests:
SAML metadata resolution is identical to, and configured in exactly the same way as, all other uses for SAML metadata. This method is managed by the IdP's MetadataConfiguration and supports all existing metadata provider types. This method obviously only applies when client information is managed using SAML metadata (see OPMetadataClientRegistration).
The older code from earlier versions of the plugin, which supports both JSON-formatted metadata and dynamic client registration, relies on a couple of implementations of a separate component called a "ClientInformationResolver", which is specific to OIDC and only supports a couple of simple resolver variants.
Both methods are used automatically, with the older OIDC client resolution methods attempted first (if any are configured).
Configuration
Client information resolvers are configured using a new/dedicated reloadable service named "shibboleth.ClientInformationResolverService", which by default relies on the file conf/oidc-clientinfo-resolvers.xml for configuration. Because there are vastly fewer options and types of resolvers, a native Spring configuration file is used instead of a custom XML syntax.
The bean shibboleth.oidc.ClientInformationResolvers defines the set of resolvers to use, in order, to locate client metadata. The two types of resolvers suported and their options are below.
Storage
For use with dynamic client registration, resolvers using the parent bean shibboleth.oidc.StorageClientInformationResolver use a StorageService to locate client metadata.
A single, required bean property is supported:
Name | Type | Description |
---|
storageService | Bean ID | Bean ID of a StorageService component to read client information from. Typically this would be the same instance used in configuring dynamic client registration. |
Example
conf/oidc-clientinfo-resolvers.xml
<util:list id="shibboleth.oidc.ClientInformationResolvers">
<bean id="ExampleStorageResolver" parent="shibboleth.oidc.StorageClientInformationResolver"
p:storageService-ref="shibboleth.StorageService" />
</util:list>
File-Based
For use with JSON metadata-based client registration, resolvers using the parent bean shibboleth.oidc.FilesystemClientInformationResolver load metadata from a Spring Resource. Technically this is not limited to the local file system but in practice that is the intent.
The bean requires a single constructor argument, the Resource to load.
Supported, but optional, bean properties are:
Name | Type | Default | Description |
---|
minRefreshDelay | Duration | PT5M | Lower bound on the next file refresh from the time calculated based on the previous attempt. This duration is used for the next attempt if the file was not existing or accessible. |
maxRefreshDelay | Duration | PT4H | Upper bound on the next file refresh from the time calculated based on the previous attempt |
Example
conf/oidc-clientinfo-resolvers.xml
<util:list id="shibboleth.oidc.ClientInformationResolvers">
<bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
c:_0="%{idp.home}/metadata/oidc-client.json" />
</util:list>
Reference
Properties
Properties related to the client resolution service are:
Name | Type | Default | Description |
---|
idp.service.clientinfo.failFast | Boolean | false | If true, any failures during initialization of any resolvers result in IdP startup failure |
idp.service.clientinfo.checkInterval | Duration | PT0S | When non-zero, enables monitoring of resources for service reload |
idp.service.clientinfo.resources | Bean ID | shibboleth.ClientInformationResolverResources | Name of bean used to define the resources to use in configuring this service |
Beans
Beans defined in, or for use in, conf/oidc-clientinforesolvers.xml are:
Name | Type | Description |
---|
shibboleth.oidc.ClientInformationResolvers | List<ClientInformationResolver> | Defines the resolvers to run in order to locate OIDC client information |
shibboleth.oidc.StorageClientInformationResolver | StorageServiceClientInformationResolver | Parent bean used to define new storage-based resolvers |
shibboleth.oidc.FilesystemClientInformationResolver | FilesystemClientInformationResolver | Parent bean used to define new file/resource-based resolvers |
shibboleth.oidc.ChainingClientInformationResolver | ChainingClientInformationResolver | Internal object used to define a chain of resolvers, not generally needed by deployers |
shibboleth.oidc.RemoteJwkSetCache | RemoteJwkSetCache | Used to manage an internal cache of remotely-fetched RP keys, not generally needed by deployers |