OIDCSecurityConfiguration

File(s): conf/oidc-credentials.xml, conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Property files.

1 Overview
2 Example
3 Reference

Overview

The security configuration for OIDC has many similarities with the generic IdP’s SecurityConfiguration, but contains beans specific to OIDC and the use of JSON Web Tokens (JWTs).

The default bean containing security configuration for JWT encryption, decryption, signing and signature validation is shibboleth.oidc.DefaultSecurityConfiguration, which can be controlled via idp.oidc.security.config -property. Various other properties (see Reference table at the end of the page) can be used for further controlling the security function specific details, such as algorithm configuration.

Example

As with other IdP security configurations, you can also override this on a per-profile, per-relying-party basis by adding a p:securityConfiguration-ref attribute to a profile bean.

For example:

<util:list id="shibboleth.RelyingPartyOverrides">        
        <bean id="OverrideOP" parent="RelyingPartyByName" c:relyingPartyIds="https://service.example.org">
            <property name="profileConfigurations">
                <list>     
                    <bean parent="OIDC.SSO" p:securityConfiguration-ref="overrideOIDCSecConfig" />
                </list>
            </property>
        </bean> 
</util:list>

<bean id="overrideOIDCSecConfig" parent="shibboleth.oidc.DefaultSecurityConfiguration">
  <property name="jwtDecryptionConfiguration">
      <ref bean="decryptionBeanName" />
  </property>
  <property name="jwtSignatureValidationConfiguration">
      <ref bean="signatureValidationBeanName" />
  </property>       
  <property name="jwtSignatureSigningConfiguration">
      <ref bean="signatureSigningBeanName" />
  </property>
  <property name="jwtEncryptionConfiguration">
      <ref bean="encryptionBeanName" />
  </property>
</bean>

You do not need to override all configuration options. Any not overridden, is taken from the default global parent bean.

Reference

Properties defined in oidc.properties directly related to this configuration area follow:

Property / Type / Default	Default	Function

Property / Type / Default	Default	Function
idp.signing.oidc.rs.key Resource path	{idp.home}/credentials/idp-signing-rs.jwk	Resource containing RSA private key for signing, typically a file in the credentials directory
idp.signing.oidc.es.key Resource path	{idp.home}/credentials/idp-signing-es.jwk	Resource containing EC private key for ES256 signing, typically a file in the credentials directory
idp.signing.oidc.rsa.enc.key Resource path	{idp.home}/credentials/idp-encryption-rsa.jwk	Resource containing RSA private key for decrypting, typically a file in the credentials directory
idp.oidc.security.config Bean ID of JSONSecurityConfiguration	shibboleth.oidc.DefaultSecurityConfiguration	Name of Spring bean supplying the default JSONSecurityConfiguration.
idp.oidc.signing.config Bean ID of BasicSignatureSigningConfiguration	shibboleth.oidc.SigningConfiguration	Name of Spring bean supplying the default BasicSignatureSigningConfiguration
idp.oidc.encryption.config Bean ID of BasicEncryptionConfiguration	shibboleth.oidc.EncryptionConfiguration	Name of Spring bean supplying the default BasicEncryptionConfiguration
idp.oidc.decryption.config Bean ID of BasicDecryptionConfiguration	shibboleth.oidc.DecryptionConfiguration	Name of Spring bean supplying the default BasicDecryptionConfiguration
idp.oidc.validation.config Bean ID of BasicSignatureValidationConfiguration	shibboleth.oidc.SignatureValidationConfiguration	Name of Spring bean supplying the default BasicSignatureValidationConfiguration

These beans are typically defined internally in various system files for use, or are defined in conf/oidc-credentials.xml or conf/relying-party.xml:

Name	Type	Description

Name	Type	Description
shibboleth.oidc.IncludedSignatureAlgorithms	List<String>	The list of included signature signing/validation algorithms (empty by default)
shibboleth.oidc.ExcludedSignatureAlgorithms	List<String>	The list of excluded signature signing/validation algorithms (empty by default)
shibboleth.oidc.IncludedEncryptionAlgorithms	List<String>	The list of included encryption/decryption algorithms (empty by default)
shibboleth.oidc.ExcludedEncryptionAlgorithms	List<String>	The list of included encryption/decryption algorithms (empty by default)
shibboleth.oidc.DefaultSecurityConfiguration	JSONSecurityConfiguration	The main bean defining the default security configuration
shibboleth.oidc.BasicSignatureSigningConfiguration	BasicSignatureSigningConfiguration	Parent bean used for defining the signature signing configuration
shibboleth.oidc.BasicEncryptionConfiguration	BasicEncryptionConfiguration	Parent bean used for defining the encryption configuration
shibboleth.oidc.BasicDecryptionConfiguration	BasicDecryptionConfiguration	Parent bean used for defining the decryption configuration
shibboleth.oidc.BasicSignatureValidationConfiguration	BasicSignatureValidationConfiguration	Parent bean used for defining the signature validation configuration
shibboleth.oidc.SigningConfiguration	BasicSignatureSigningConfiguration	Default bean used for defining the signature signing configuration
shibboleth.oidc.EncryptionConfiguration	BasicEncryptionConfiguration	Default bean used for defining the encryption configuration
shibboleth.oidc.DecryptionConfiguration	BasicDecryptionConfiguration	Default bean used for defining the decryption configuration
shibboleth.oidc.SignatureValidationConfiguration	BasicSignatureValidationConfiguration	Default bean used for defining the signature validation configuration
shibboleth.oidc.SigningCredentials	List<Credential>	Collection of keypairs used to sign data (technically only the private key matters here)
shibboleth.oidc.EncryptionCredentials	List<Credential>	Collection of keypairs used to decrypt data coming from the others (technically only the private key matters here)