{"type":"doc","content":[{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, only the scope values in the OIDC authentication request that are registered in the client's metadata are considered as allowed scope values. Other values are filtered out before they can be referred to in ","type":"text"},{"text":"OIDCScope policy rule","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879193/OPAttributeFiltering#OIDCScope-Policy-Rule"}}]},{"text":" or included in the response messages.","type":"text"}]},{"type":"paragraph","content":[{"text":"This functionality can be customised by specifying a function ","type":"text"},{"text":"shibboleth.oidc.AllowedScopeStrategy","type":"text","marks":[{"type":"strong"}]},{"text":" of type Function. The scope returned by this function is used as the value of allowed scope: ie. all these values can be requested by the RPs without being filtered out.","type":"text"}]},{"type":"paragraph","content":[{"text":"The class ","type":"text"},{"text":"ScopeUtil","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/sites/release/java-idp-oidc/3.2.0/apidocs/net/shibboleth/idp/plugin/oidc/op/profile/ScopeUtil.html"}}]},{"text":" provides helper-methods for dealing with Scope values together with IdP attributes.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Example","type":"text"}]},{"type":"paragraph","content":[{"text":"The following snippet may be included for instance in ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"code"}]},{"text":". It specifies the function ","type":"text"},{"text":"shibboleth.oidc.AllowedScopeStrategy","type":"text","marks":[{"type":"strong"}]},{"text":", in this case together with a HelperPair to be able to exploit the default function and attribute resolver service:","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n\n \n \n \n 0) {\n logger.debug(\"Setting new scope value from allowedScope attribute\");\n result = Java.type(\"net.shibboleth.idp.plugin.oidc.op.profile.ScopeUtil\").buildScope(attribute);\n } else {\n logger.debug(\"Keeping the existing scope value\");\n }\n input.removeSubcontext(resCtx); // cleanup\n }\n logger.debug(\"Scope to be returned: \" + result);\n result;\n ]]>\n \n \n ","type":"text"}]},{"type":"paragraph","content":[{"text":"The function checks if username can be resolved and if yes, resolves user’s attribute via resolver service. If an attribute ","type":"text"},{"text":"allowedScope","type":"text","marks":[{"type":"code"}]},{"text":" is resolved, its value will be used as the allowed scope for this user. If the username cannot be resolved (for instance with the backend flows) or if the attribute ","type":"text"},{"text":"allowedScope","type":"text","marks":[{"type":"code"}]},{"text":" is not resolved, the value returned by the default function ","type":"text"},{"text":"shibboleth.oidc.DefaultAllowedScopeStrategy","type":"text","marks":[{"type":"code"}]},{"text":" is returned. It corresponds to the scope specified in the RP metadata.","type":"text"}]},{"type":"paragraph","content":[{"text":"The attribute-resolver snippet below shows one example for specifying the ","type":"text"},{"text":"allowedScope","type":"text","marks":[{"type":"code"}]},{"text":" attribute:","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n \n \n \n \n\n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In this example, the ","type":"text"},{"text":"allowedScope","type":"text","marks":[{"type":"code"}]},{"text":" attribute is defined so that ","type":"text"},{"text":"phone","type":"text","marks":[{"type":"strong"}]},{"text":" value is removed from the default scope, if the attribute ","type":"text"},{"text":"phone_number_verified","type":"text","marks":[{"type":"code"}]},{"text":" is not set to ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"Obviously this specific example could have been implemented solely inside single ","type":"text"},{"text":"shibboleth.oidc.AllowedScopeStrategy ","type":"text","marks":[{"type":"strong"}]},{"text":"function, but the attribute-resolver snippet was included to demonstrate how its features may be exploited too in this context.","type":"text"}]}],"version":1}

Browser not supported