OPUnregisteredClientPolicy

Owned by Henri Mikkonen
Last updated: Feb 16, 2024
2 min read

Overview

As of V4.0, the OIDC OP plugin supports configurable policies for unregistered clients. An “unregistered client” is a client (RP) that doesn’t have registered metadata. The general rule is that the unregistered RPs may access a specific profile if the request meets the following two requirements:

  1. The profile is included in the shibboleth.UnverifiedRelyingParty relying party configuration

  2. The request message is compliant with the unregistered client policy configured for the profile

In addition to the two requirements above, the profiles that require client authentication (OAUTH2.Token, OAUTH2.Introspection and OAUTH2.Revocation ), the client authentication (by default: authn/OAuth2Client) needs to be configured to successfully authenticate the unregistered client.

In effect the policy allows control over the behavior despite the lack of metadata. Some IdP features, such as the Attribute Filter, will already honor rules based on the “requester” despite the lack of metadata, provided that the request makes it far enough to reach that step. Scripts that interrogate, e.g., the relying party ID, will also be functional and would need to include additional logic to check for the verified status of the request to distinguish these cases.

Policy language

The policy language uses the same syntax used in metadata policies for dynamic client registration. The concept is defined in the OpenID Connect Federation 1.0 specification (draft 29 at the time of writing this documentation). We support the structure and some of the rules specified in section 5.1 of the specification draft:

  • the value operator for scope validation

  • the one_of value check for client_id, redirect_uri and response_type validation

  • the regexp value check for client_id and redirect_uri validation

    • This is not really specified in the spec draft, but is mentioned in appendices as an example of extending the policy language. Note that such extensions are non-unique and these policies would therefore be unsafe to use outside of a local context, but at present we only use them in that capacity anyway.

The client_id validation is performed in all OIDC.SSO, OAUTH2.Token, OIDC.UserInfo, OAUTH2.Introspection and OAUTH2.Revocation profiles.

The scope validation is performed in the OIDC.SSO, OAUTH2.Token and OIDC.UserInfo profiles.

The redirect_uri validation is performed in the OIDC.SSO and OAUTH2.Token profiles.

The response_type validation is performed in the OIDC.SSO profile.

Example

The default policy file is located at %{idp.home}/conf/oidc-unregistered-client-policy.json:

{ "client_id": { "one_of": ["policyAcceptedClient1","policyAcceptedClient2"] }, "scope": { "value": "openid" }, "redirect_uri": { "regexp": "^https:\/\/(?:([^.]+).)?example.org\/(.*)" }, "response_type": { "one_of": ["code"] } }

It should be read as follows:

  • client_id must be one of the following values: policyAcceptedClient1 or policyAcceptedClient2

  • allowed scope value is openid - one can add additional scopes in the same way as in metadata (for instance "openid profile email")

  • redirect_uri must meet the regular expression, in this case starting with https:// and server name belonging to the example.org domain

  • response_type must be one code