OIDCSecurityConfiguration

File(s): conf/oidc-credentials.xml, conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Property files.

Overview

The security configuration for OIDC has many similarities with the generic IdP’s SecurityConfiguration, but contains beans specific to OIDC and the use of JSON Web Tokens (JWTs).

The default bean containing security configuration for JWT encryption, decryption, signing and signature validation is shibboleth.oidc.DefaultSecurityConfiguration, which can be controlled via idp.oidc.security.config -property. Various other properties (see Reference table at the end of the page) can be used for further controlling the security function specific details, such as algorithm configuration.

Example

As with other IdP security configurations, you can also override this on a per-profile, per-relying-party basis by adding a p:securityConfiguration-ref attribute to a profile bean.

For example:

<util:list id="shibboleth.RelyingPartyOverrides"> <bean id="OverrideOP" parent="RelyingPartyByName" c:relyingPartyIds="https://service.example.org"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:securityConfiguration-ref="overrideOIDCSecConfig" /> </list> </property> </bean> </util:list> <bean id="overrideOIDCSecConfig" parent="shibboleth.oidc.DefaultSecurityConfiguration"> <property name="jwtDecryptionConfiguration"> <ref bean="decryptionBeanName" /> </property> <property name="jwtSignatureValidationConfiguration"> <ref bean="signatureValidationBeanName" /> </property> <property name="jwtSignatureSigningConfiguration"> <ref bean="signatureSigningBeanName" /> </property> <property name="jwtEncryptionConfiguration"> <ref bean="encryptionBeanName" /> </property> </bean>

You do not need to override all configuration options. Any not overridden, is taken from the default global parent bean.

Reference

Properties defined in oidc.properties directly related to this configuration area follow:

Property / Type / Default

Default

Function

Property / Type / Default

Default

Function

idp.signing.oidc.rs.key

Resource path

{idp.home}/credentials/idp-signing-rs.jwk

Resource containing RSA private key for signing, typically a file in the credentials directory

idp.signing.oidc.es.key

Resource path

 {idp.home}/credentials/idp-signing-es.jwk

Resource containing EC private key for ES256 signing, typically a file in the credentials directory

idp.signing.oidc.rsa.enc.key

Resource path

 {idp.home}/credentials/idp-encryption-rsa.jwk

Resource containing RSA private key for decrypting, typically a file in the credentials directory

idp.oidc.security.config

Bean ID of JSONSecurityConfiguration

shibboleth.oidc.DefaultSecurityConfiguration

Name of Spring bean supplying the default JSONSecurityConfiguration.

idp.oidc.signing.config

Bean ID of BasicSignatureSigningConfiguration

shibboleth.oidc.SigningConfiguration

Name of Spring bean supplying the default BasicSignatureSigningConfiguration

idp.oidc.encryption.config

Bean ID of BasicEncryptionConfiguration

shibboleth.oidc.EncryptionConfiguration

Name of Spring bean supplying the default BasicEncryptionConfiguration

idp.oidc.decryption.config

Bean ID of BasicDecryptionConfiguration

shibboleth.oidc.DecryptionConfiguration

Name of Spring bean supplying the default BasicDecryptionConfiguration

idp.oidc.validation.config

Bean ID of BasicSignatureValidationConfiguration

shibboleth.oidc.SignatureValidationConfiguration

Name of Spring bean supplying the default BasicSignatureValidationConfiguration

These beans are typically defined internally in various system files for use, or are defined in conf/oidc-credentials.xml or conf/relying-party.xml:

Name

Type

Description

Name

Type

Description

shibboleth.oidc.IncludedSignatureAlgorithms

List<String>

The list of included signature signing/validation algorithms (empty by default)

shibboleth.oidc.ExcludedSignatureAlgorithms

List<String>

The list of excluded signature signing/validation algorithms (empty by default)

shibboleth.oidc.IncludedEncryptionAlgorithms

List<String>

The list of included encryption/decryption algorithms (empty by default)

shibboleth.oidc.ExcludedEncryptionAlgorithms

List<String>

The list of included encryption/decryption algorithms (empty by default)

shibboleth.oidc.DefaultSecurityConfiguration

JSONSecurityConfiguration

The main bean defining the default security configuration

shibboleth.oidc.BasicSignatureSigningConfiguration

BasicSignatureSigningConfiguration

Parent bean used for defining the signature signing configuration

shibboleth.oidc.BasicEncryptionConfiguration

BasicEncryptionConfiguration

Parent bean used for defining the encryption configuration

shibboleth.oidc.BasicDecryptionConfiguration

BasicDecryptionConfiguration

Parent bean used for defining the decryption configuration

shibboleth.oidc.BasicSignatureValidationConfiguration

BasicSignatureValidationConfiguration

Parent bean used for defining the signature validation configuration

shibboleth.oidc.SigningConfiguration

BasicSignatureSigningConfiguration

Default bean used for defining the signature signing configuration

shibboleth.oidc.EncryptionConfiguration

BasicEncryptionConfiguration

Default bean used for defining the encryption configuration

shibboleth.oidc.DecryptionConfiguration

BasicDecryptionConfiguration

Default bean used for defining the decryption configuration

shibboleth.oidc.SignatureValidationConfiguration

BasicSignatureValidationConfiguration

Default bean used for defining the signature validation configuration

shibboleth.oidc.SigningCredentials

List<Credential>

Collection of keypairs used to sign data (technically only the private key matters here)

shibboleth.oidc.EncryptionCredentials

List<Credential>

Collection of keypairs used to decrypt data coming from the others (technically only the private key matters here)

 

Â