OPClientResolution

File(s): conf/oidc-clientinfo-resolvers.xml, conf/metadata-providers.xml
Format: Native Spring, Custom

1 Overview
2 Configuration
- 2.1 Example
  - 2.1.1 conf/oidc-clientinfo-resolvers.xml
- 2.2 Example
  - 2.2.1 conf/oidc-clientinfo-resolvers.xml
3 Reference

Overview

There are two distinct ways the OP plugin resolves client (RP) details at runtime in order to apply policy to and process requests:

SAML metadata resolution
OIDC client information resolution

SAML metadata resolution is identical to, and configured in exactly the same way as, all other uses for SAML metadata. This method is managed by the IdP's MetadataConfiguration and supports all existing metadata provider types. This method obviously only applies when client information is managed using SAML metadata (see OPMetadataClientRegistration).

The older code from earlier versions of the plugin, which supports both JSON-formatted metadata and dynamic client registration, relies on a couple of implementations of a separate component called a "ClientInformationResolver", which is specific to OIDC and only supports a couple of simple resolver variants.

Both methods are used automatically, with the older OIDC client resolution methods attempted first (if any are configured).

Configuration

Client information resolvers are configured using a new/dedicated reloadable service named "shibboleth.ClientInformationResolverService", which by default relies on the file conf/oidc-clientinfo-resolvers.xml for configuration. Because there are vastly fewer options and types of resolvers, a native Spring configuration file is used instead of a custom XML syntax.

The bean shibboleth.oidc.ClientInformationResolvers defines the set of resolvers to use, in order, to locate client metadata. The two types of resolvers suported and their options are below.

For use with dynamic client registration, resolvers using the parent bean shibboleth.oidc.StorageClientInformationResolver use a StorageService to locate client metadata.

A single, required bean property is supported:

Name	Type	Description

Name	Type	Description
storageService	Bean ID	Bean ID of a StorageService component to read client information from. Typically this would be the same instance used in configuring dynamic client registration.

Example

conf/oidc-clientinfo-resolvers.xml

<util:list id="shibboleth.oidc.ClientInformationResolvers">
	<bean id="ExampleStorageResolver" parent="shibboleth.oidc.StorageClientInformationResolver"
		p:storageService-ref="shibboleth.StorageService" />
</util:list>

For use with JSON metadata-based client registration, resolvers using the parent bean shibboleth.oidc.FilesystemClientInformationResolver load metadata from a Spring Resource. Technically this is not limited to the local file system but in practice that is the intent.

The bean requires a single constructor argument, the Resource to load.

Supported, but optional, bean properties are:

Name	Type	Default	Description

Name	Type	Default	Description
minRefreshDelay	Duration	PT5M	Lower bound on the next file refresh from the time calculated based on the previous attempt. This duration is used for the next attempt if the file was not existing or accessible.
maxRefreshDelay	Duration	PT4H	Upper bound on the next file refresh from the time calculated based on the previous attempt

Example

conf/oidc-clientinfo-resolvers.xml

<util:list id="shibboleth.oidc.ClientInformationResolvers">
	<bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
		c:_0="%{idp.home}/metadata/oidc-client.json" />
</util:list>

Reference

Properties related to the client resolution service are:

Name	Type	Default	Description

Name	Type	Default	Description
idp.service.clientinfo.failFast	Boolean	false	If true, any failures during initialization of any resolvers result in IdP startup failure
idp.service.clientinfo.checkInterval	Duration	PT0S	When non-zero, enables monitoring of resources for service reload
idp.service.clientinfo.resources	Bean ID	shibboleth.ClientInformationResolverResources	Name of bean used to define the resources to use in configuring this service

Beans defined in, or for use in, conf/oidc-clientinforesolvers.xml are:

Name	Type	Description

Name	Type	Description
shibboleth.oidc.ClientInformationResolvers	List<ClientInformationResolver>	Defines the resolvers to run in order to locate OIDC client information
shibboleth.oidc.StorageClientInformationResolver	StorageServiceClientInformationResolver	Parent bean used to define new storage-based resolvers
shibboleth.oidc.FilesystemClientInformationResolver	FilesystemClientInformationResolver	Parent bean used to define new file/resource-based resolvers
shibboleth.oidc.ChainingClientInformationResolver	ChainingClientInformationResolver	Internal object used to define a chain of resolvers, not generally needed by deployers
shibboleth.oidc.RemoteJwkSetCache	RemoteJwkSetCache	Used to manage an internal cache of remotely-fetched RP keys, not generally needed by deployers