/
OPClientResolution

OPClientResolution

File(s): conf/oidc-clientinfo-resolvers.xml, conf/metadata-providers.xml
Format: Native Spring, Custom

Overview

There are two distinct ways the OP plugin resolves client (RP) details at runtime in order to apply policy to and process requests:

  • SAML metadata resolution

  • OIDC client information resolution

SAML metadata resolution is identical to, and configured in exactly the same way as, all other uses for SAML metadata. This method is managed by the IdP's MetadataConfiguration and supports all existing metadata provider types. This method obviously only applies when client information is managed using SAML metadata (see OPMetadataClientRegistration).

The older code from earlier versions of the plugin, which supports both JSON-formatted metadata and dynamic client registration, relies on a couple of implementations of a separate component called a "ClientInformationResolver", which is specific to OIDC and only supports a couple of simple resolver variants.

Both methods are used automatically, with the older OIDC client resolution methods attempted first (if any are configured).

Configuration

Client information resolvers are configured using a new/dedicated reloadable service named "shibboleth.ClientInformationResolverService", which by default relies on the file conf/oidc-clientinfo-resolvers.xml for configuration. Because there are vastly fewer options and types of resolvers, a native Spring configuration file is used instead of a custom XML syntax.

The bean shibboleth.oidc.ClientInformationResolvers defines the set of resolvers to use, in order, to locate client metadata. The two types of resolvers suported and their options are below.

For use with dynamic client registration, resolvers using the parent bean shibboleth.oidc.StorageClientInformationResolver use a StorageService to locate client metadata.

A single, required bean property is supported:

Name

Type

Description

Name

Type

Description

storageService

Bean ID

Bean ID of a StorageService component to read client information from. Typically this would be the same instance used in configuring dynamic client registration.

Example

conf/oidc-clientinfo-resolvers.xml
<util:list id="shibboleth.oidc.ClientInformationResolvers"> <bean id="ExampleStorageResolver" parent="shibboleth.oidc.StorageClientInformationResolver" p:storageService-ref="shibboleth.StorageService" /> </util:list>

For use with JSON metadata-based client registration, resolvers using the parent bean shibboleth.oidc.FilesystemClientInformationResolver load metadata from a Spring Resource. Technically this is not limited to the local file system but in practice that is the intent.

The bean requires a single constructor argument, the Resource to load.

Supported, but optional, bean properties are:

Name

Type

Default

Description

Name

Type

Default

Description

minRefreshDelay

Duration

PT5M

Lower bound on the next file refresh from the time calculated based on the previous attempt. This duration is used for the next attempt if the file was not existing or accessible.

maxRefreshDelay

Duration

PT4H

Upper bound on the next file refresh from the time calculated based on the previous attempt

Example

conf/oidc-clientinfo-resolvers.xml
<util:list id="shibboleth.oidc.ClientInformationResolvers"> <bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver" c:_0="%{idp.home}/metadata/oidc-client.json" /> </util:list>

Reference

Properties related to the client resolution service are:

Name

Type

Default

Description

Name

Type

Default

Description

idp.service.clientinfo.failFast

Boolean

false

If true, any failures during initialization of any resolvers result in IdP startup failure

idp.service.clientinfo.checkInterval

Duration

PT0S

When non-zero, enables monitoring of resources for service reload

idp.service.clientinfo.resources

Bean ID

shibboleth.ClientInformationResolverResources

Name of bean used to define the resources to use in configuring this service

Beans defined in, or for use in, conf/oidc-clientinforesolvers.xml are:

Name

Type

Description

Name

Type

Description

shibboleth.oidc.ClientInformationResolvers

List<ClientInformationResolver>

Defines the resolvers to run in order to locate OIDC client information

shibboleth.oidc.StorageClientInformationResolver

StorageServiceClientInformationResolver

Parent bean used to define new storage-based resolvers

shibboleth.oidc.FilesystemClientInformationResolver

FilesystemClientInformationResolver

Parent bean used to define new file/resource-based resolvers

shibboleth.oidc.ChainingClientInformationResolver

ChainingClientInformationResolver

Internal object used to define a chain of resolvers, not generally needed by deployers

shibboleth.oidc.RemoteJwkSetCache

RemoteJwkSetCache

Used to manage an internal cache of remotely-fetched RP keys, not generally needed by deployers

 

Related pages