{"type":"doc","content":[{"type":"paragraph","content":[{"text":"File(s):","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"conf/relying-party.xml","type":"text","marks":[{"type":"em"}]},{"text":", ","type":"text"},{"text":"conf/oidc.properties, static/openid-configuration.json","type":"text","marks":[{"type":"em"}]},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"strong"}]},{"text":" Native Spring, Spring Properties, JSON","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"5cc5fa31-e404-4a93-ba8d-b5dd24e7033d"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"65f52640-e797-4843-a936-90e20b9b8f95"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two features that provide for OP discovery by clients via the ","type":"text"},{"text":"OpenID Connect Discovery 1.0","type":"text","marks":[{"type":"link","attrs":{"href":"https://openid.net/specs/openid-connect-discovery-1_0.html"}}]},{"text":" specification, WebFinger and OP metadata discovery. The former isn't really applicable to this implementation because we don't provide any indirection between the WebFinger endpoint and the OP host since they're the same.","type":"text"}]},{"type":"paragraph","content":[{"text":"Because OIDC Discovery relies on a well-known URL at the root of the server (which the IdP does not control), this is not something the IdP can implement by itself. The web server has to cooperate by mapping the appropriate path to the functionality within the IdP, so the specifics depend on that web server. The documentation addresses Jetty 9.4 since that is the only recommended servlet container, but Jetty does evolve and the examples may become invalid over time.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"The plugin installs a template file to ","type":"text"},{"text":"static/openid-configuration.json","type":"text","marks":[{"type":"em"}]},{"text":". This file requires some degree of manual adjustment, but subsequently can be used in one of two ways, served statically or as the basis of a flow implemented within the plugin that can adjust some (but not all) of the information based on the configuration. The latter is generally recommended, though the former may offload some processing load from the IdP.","type":"text"}]},{"type":"paragraph","content":[{"text":"Again, some of the file's content must be manually updated to correspond to configuration choices in other files (e.g., documenting claims and supported grant types). The standard content of the metadata file is specified in the ","type":"text"},{"text":"OpenID Connect Discovery 1.0","type":"text","marks":[{"type":"link","attrs":{"href":"https://openid.net/specs/openid-connect-discovery-1_0.html"}}]},{"text":" specification.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Static Publication","type":"text"}]},{"type":"paragraph","content":[{"text":"To publish the file statically, the web server must be configured to map requests for ","type":"text"},{"text":"/.well-known/openid-configuration","type":"text","marks":[{"type":"em"}]},{"text":" to the ","type":"text"},{"text":"static/openid-configuration.json","type":"text","marks":[{"type":"em"}]},{"text":" file. This is server-dependent, and the server must also set the resulting Content-Type to \"application/json\".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Dynamic Publication","type":"text"}]},{"type":"paragraph","content":[{"text":"To publish the file dynamically, the web server must be configured to map requests for ","type":"text"},{"text":"/.well-known/openid-configuration","type":"text","marks":[{"type":"em"}]},{"text":" to ","type":"text"},{"text":"/idp/profile/oidc/configuration","type":"text","marks":[{"type":"em"}]},{"text":". This is server-dependent but typically can be done with rewrite mechanisms.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Jetty 9.4 Example","type":"text"}]},{"type":"paragraph","content":[{"text":"Jetty includes a rewrite module, which can be activated by running (from the JETTY_BASE location):","type":"text"}]},{"type":"codeBlock","marks":[{"type":"breakout","attrs":{"mode":"wide"}}],"content":[{"text":"$ java -jar $JETTY_HOME/start.jar --add-to-start=rewrite","type":"text"}]},{"type":"paragraph","content":[{"text":"This stages the ","type":"text"},{"text":"rewrite.ini","type":"text","marks":[{"type":"em"}]},{"text":" file to enable the module. To add rules, you must add your own file such as ","type":"text"},{"text":"etc/rewrite-rules.xml,","type":"text","marks":[{"type":"em"}]},{"text":" and ensure that file is loaded by Jetty by editing one of your ini files to include it. An example rule file:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"etc/rewrite-rules.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"marks":[{"type":"breakout","attrs":{"mode":"wide"}}],"content":[{"text":"\n\n\n\n\n\n\n \n \n \n \n\n \n \n \n /.well-known/openid-configuration\n /idp/profile/oidc/configuration\n \n \n \n\n \n","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Tomcat Example","type":"text"}]},{"type":"paragraph","content":[{"text":"Tomcat includes a ","type":"text"},{"text":"rewrite valve","type":"text","marks":[{"type":"link","attrs":{"href":"https://tomcat.apache.org/tomcat-10.1-doc/rewrite.html"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"catalina-base/conf/server.xml : ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"\n \n ","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"catalina-base/conf/Catalina/localhost/rewrite.config : ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"RewriteRule ^/\\.well-known/openid-configuration$ /idp/profile/oidc/configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Note : the rewrite rule should probably end with the [L] flag.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Activation","type":"text"}]},{"type":"paragraph","content":[{"text":"Support for dynamic discovery is enabled by enabling a profile configuration bean called (or inherited from) \"OIDC.Configuration\". The clients (RPs) cannot be authenticated during the discovery sequence, so the only way to enable this profile is via the ","type":"text"},{"text":"shibboleth.UnverifiedRelyingParty","type":"text","marks":[{"type":"strong"}]},{"text":" bean (see ","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://RelyingPartyConfiguration@idp"}}]},{"text":") since the RP by definition isn't verified.","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"The profile has no meaningful options that are likely to be adjusted here.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Customization","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"idp.oidc.discovery.template","type":"text","marks":[{"type":"strong"}]},{"text":" property may be used to override the location of the static template that forms the basis of the response.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Properties"},"marks":[{"type":"breakout","attrs":{"mode":"wide"}}],"content":[{"type":"paragraph","content":[{"text":"Properties related to discovery in ","type":"text"},{"text":"conf/oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"f3a8e20d-5596-4889-aa66-1e91281a438e"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[131.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[441.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[434.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"idp.oidc.discovery.template","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[131.0]},"content":[{"type":"paragraph","content":[{"text":"File pathname","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[441.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.home}/static/openid-configuration.json","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[434.0]},"content":[{"type":"paragraph","content":[{"text":"Location of discovery template to use","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[258.0]},"content":[{"type":"paragraph","content":[{"text":"idp.oidc.discovery.resolver","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[131.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[441.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.oidc.DefaultOpenIdConfigurationResolver","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[434.0]},"content":[{"type":"paragraph","content":[{"text":"Implementation bean for discovery, shouldn't require alteration","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans"},"marks":[{"type":"breakout","attrs":{"mode":"wide"}}],"content":[{"type":"paragraph","content":[{"text":"Beans related to discovery:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"1fbe571b-6b1e-40ef-a542-206296939cdd"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[361.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[804.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[361.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.oidc.OpenIDConfiguration ","type":"text"},{"text":"3.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","content":[{"text":"Resource","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[804.0]},"content":[{"type":"paragraph","content":[{"text":"Optional hook for defining a wholly different Spring resource type for the discovery template","type":"text"}]}]}]}]}]},{"type":"paragraph"}],"version":1}