/
OPPushedAuthorization

OPPushedAuthorization

Overview

Since OP version 4.2, the OAUTH2.PAR profile configuration bean enables support for OAuth2 Pushed Authorization Requests (PAR), a method for clients to push the payload of an OAuth 2.0 authorization request to AS/OP via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.

Configuration

The requestUriType option can be used for defining the type how the resulting request_uri values are produced. The default (empty) value refers to the use of opaque format: it encodes all the requested parameters inside the token which is encrypted via data sealer. The benefit is that no server-side state is needed, but very long request parameter values may cause its length to exceed 512 ASCII characters, which is not recommended by the specs. The value “ss” refers to the use of configurable storage service: then the value remain short but the same storage must be available for authorization endpoint (OIDC.SSO profile) when the request_uri is used.

Virtually all the configuration options below can be set via two different properties: a static property that explicitly sets the value to use and a lookup strategy or predicate property that takes a Function or Predicate and returns the value to use. The dynamic property is generally named "propertyNamePredicate" or "propertyNameLookupStrategy" for Boolean- and non-Boolean-valued properties respectively.

Options common to all OAuth2/OIDC profiles:

Name

Type

Default

Description

Name

Type

Default

Description

securityConfiguration   

JSONSecurityConfiguration

Bean named shibboleth.oidc.DefaultSecurityConfiguration

An object containing all of the default security-related objects needed for peer authentication and encryption. See OIDCSecurityConfiguration for complete details.

messageHandler 4.2

Function<MessageContext,Exception>

 

A function hook allowing modification of messages before signing and transmission, useful for adding extensions

inboundInterceptorFlows

List<String>

 

Ordered list of profile interceptor flows to run prior to message processing

outboundInterceptorFlows

List<String>

 

Ordered list of profile interceptor flows to run prior to outbound message handling

Guidance

Modifying the security configuration is usually done to:

  • specify an alternate signing or decryption key to use

  • control signing or encryption algorithms

The two interceptor lists allow the much less commonly used profile interceptor injection points to be used. This is largely a Java-based way of doing very low-level sorts of “message rewriting” hackery that might otherwise be impossible to pull off. One use case for the inbound side might be picking up non-standard parameters in a request.

Options common to OP profiles with OIDC flow settings:

Name

Type

Default

Description

Name

Type

Default

Description

authorizationCodeFlowEnabled

Boolean

true

Whether to enable the authorization code flow

hybridFlowEnabled

Boolean

true

Whether to enable the hybrid flow

implicitFlowEnabled

Boolean

true

Whether to enable the implicit flow

refreshTokensEnabled

Boolean

true

Whether to enable refresh token support

 

Options common to OP profiles that support client authentication:

Name

Type

Default

Description

Name

Type

Default

Description

tokenEndpointAuthMethods

Collection<String>

client_secret_basic,
client_secret_post,
client_secret_jwt,
private_key_jwt

Enabled endpoint client authentication methods for the profile. Note that the RP metadata also needs to set the token endpoint authentication method: the default value when it’s not set is client_secret_basic.

Also note that the method none for public clients that cannot authenticate is not included in the list of default values. Similarly to other methods, it needs to be enabled in the profile with this option and also set in the RP metadata.

useTargetedEndpointAsJWTAudience4.3

Boolean

true

Flag to enable use of endpoints (the token or target endpoint) in the JWT client authentication audience

requireSingleJWTAudience4.3

Boolean

false

Flag to require single value in the JWT client authentication audience

clientAuthenticationJWTType4.3

String

 

Mandatory value for the typ header used within JWT authentication

unregisteredClientPolicy4.0

Map<String, UnregisteredClientPolicy>

See wiki page

The policy used to verify unverified clients when this profile is enabled in the unverified RP config

Since OP v3.4, the JWT-based client authentication methods (client_secret_jwt and private_key_jwt) accepts any of the following three audiences:

  1. OP issuer value (profile responder ID)

  2. The token flow endpoint URL value (even for introspection and revocation endpoints)

  3. The flow endpoint URL value

For convenience, the following methods also exist for globally control the default values:

  • Property idp.oauth2.jwtAuth.targetedEndpointAsJWTAudience4.3

  • Property idp.oauth2.jwtAuth.requireSingleJWTAudience4.3

  • Any custom bean for validating the audience can be set via idp.oauth2.jwtAuth.audienceValidator -property.

For convenience, the enabled client authentication methods are also controllable globally via the idp.oidc.tokenEndpointAuthMethods property.

For convenience, this is also controllable globally via the idp.oidc.tokenEndpointAuthMethods property.

If the incoming request contains both DPoP proof JWT and dpop_jkt parameter, the proof key thumbprint must match with the parameter value. Whenever one of those methods are used, the authorization code will be bound to the proof and thus the end-to-end binding of the entire authorization flow is enabled.

Options related to DPoP proof validation:

Name

Type

Default

Description

Name

Type

Default

Description

requireDpopProof 4.2

Boolean

false

A flag for requiring the DPoP proof JWT in the profile. If the proof exists in the request, it’s always validated.

dpopProofClaimsValidator 4.2

ClaimsValidator

Beans named DefaultDPoPProofClaimsValidator for PAR/token and DefaultDPoPWithAthProofClaimsValidator for others (involving access token validation)

The claims validation configuration used for validating the payload contents of the DPoP proof JWTs. The default values follows the RFC: the latter also verifying the access token hash claim.

dpopProofSignatureValidationConfiguration 4.2

BasicSignatureValidationConfiguration

Bean named DPoPSignatureValidationConfiguration

The bean used for defining the signature validation configuration used for validating DPoP proof signatures.

dpopProofNonceGenerator 4.2

Function<
ProfileRequestContext,
String>

Bean named DefaultOAuth2DPoPNonceGenerator

The bean used for defining the function used for generating nonce used within DPoP proofs. Null value (#{null}) means that nonces are disabled.

If modified to a non-null value, the dpopProofClaimsValidatorneeds to be modified to be able to validate the custom nonce value.

DPoP proof claims set validation

The idp.policy.messageLifetimeand idp.policy.clockSkew properties are exploited when validating the iat -claim.

Replay detection

The DPoP proofs must contain a unique identifier (jti -claim). The default validation (the dpopProofClaimsValidator option) implements this check via shibboleth.ReplayCachebean, which exploits the storage service that may be configured via idp.replayCache.StorageService -property (see https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509576/StorageConfiguration#Reference ).

The lifetime for the replay cache record is taken from the exp -claim if it exists in the DPoP proof claims set. If not, the property idp.oauth2.dpop.replayCacheLifetime(defaults to 5 minutes) is exploited. The record key is taken from the jti claim.

In order to guard against memory exhaustion attacks, the jti values longer than 64 characters are hashed with SHA-256 before using them as the replay record key. The maximum record lifetime may also be set via idp.oauth2.dpop.maxReplayCacheLifetime-property, which defaults to 5 minutes.

Nonces

If the dpopProofNonceGenerator option has a value, the bean is used for generating nonce values to be used within DPoP proof JWTs. The default value points to an implementation that generates relying party -specific values that are valid for 5 minutes, customisable via idp.oauth2.dpop.nonceLifetime-property. The default implementation exploits the data sealer for encrypting the nonce value into an opaque string.

The default value for dpopProofClaimsValidator contains a claims validator that is activated whenever dpopProofNonceGenerator option has a value.

Note that any browser-based client applications using CORS may require the DPoP-Nonce to be included in the Access-Control-Expose-Headers response header list value. The page https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199501090 describes some alternatives for handling CORS preflight requests. For instance the Spring CORS configuration supports p:exposedHeaders="DPoP-Nonce"as a way for satisfying that requirement.

 

Options specific to the PAR flow:

Name

Type

Default

Description

Name

Type

Default

Description

forcePKCE

Boolean

false

Whether client is required to use PKCE

allowPKCEPlain

Boolean

false

Whether client is allowed to use PKCE code challenge method "plain"

useRequestObject

Boolean

false

Whether to enforce use of request objects

encryptRequestObject

Boolean

false

Whether to enforce encryption of request objects if they’re used.

responseModes

Set<String>

 

Specifies allowed values for response_mode in the authorization/authentication requests. Null/empty means that all supported values are allowed.

requireAuthenticationRequest

Boolean

true

Whether to enforce use of OIDC authentication sequence (involving openid scope).

Note! In SAML metadata-driven configuration, only the use of requireAuthenticationRequestPredicate is supported.

strictScopeValidation

Boolean

true

Whether to enable strict scope validation. If enabled, the request containing non-allowed (not registered for the registered clients or non-policy compliant for unregistered clients) scope values is considered as an error.

customRedirectUriValidationStrategy

BiPredicate<

URI,

ProfileRequestContext

>

null

Custom validation strategy for the redirect_uri parameter. If a value is set, it overrides the default validation logic for both registered and unregistered clients.

requestUriType

String

 

Format of request_uri. Supports values are “ss” or nothing/empty/null, implying opaque tokens.

“ss” refers to the use of storage service (defined byidp.oauth2.par.StorageService, defaulting to in-memory service): this way the values remain shorter as the URI value only contains a reference to the storage record.

requestUriLifetime

Duration

PT1M

Lifetime for the request_uri to remain valid

requireDpopJkt

Boolean

false

Whether to require the use of dpop_jkt -parameter. It’s the JWK Thumbprint of the proof-of-possession public key using the SHA-256 hash function.

requestUriClaimsSetManipulationStrategy

BiFunction<
ProfileRequestContext,
Map<String,Object>,
Map<String,Object>
>

 

Manipulation strategy for customising request_uri claims set contents. The BiFunction inputs are the ProfileRequestContext and the current contents of request_uri as a Map<String,Object>.

If the result is non-null, the result (Map<String,Object) is used to replace the contents of the id_token. It is the deployer’s responsibility to ensure the results remain valid/appropriate.

The following properties can be used to globally adjust some of the settings above (some of them affect other profiles as well).

  • idp.oidc.forcePKCE

  • idp.oidc.allowPKCEPlain

  • idp.oauth2.requireAuthenticationRequestPredicate

  • idp.oidc.requestobject.used

  • idp.oidc.requestobject.encrypted

  • idp.oauth2.responseModes

  • idp.oauth2.par.requestUriType

  • idp.oauth2.par.requestUriLifetime

  • idp.oauth2.par.serializationStrategies

  • idp.oauth2.par.StorageService