Skip to content

MetadataConfiguration

Jump to bottom
Scott Cantor edited this page Feb 15, 2021 · 8 revisions

Current File(s): conf/oidc-metadata-providers.xml

Overview

In the similar way as with SAML, the trusted OIDC relying parties are configured via metadata or by enabling profiles for unverified RPs.

The trusted metadata sources are configured by adding bean-references to the list named shibboleth.oidc.ClientInformationResolvers inside the oidc-metadata-providers.xml -file. The default configuration contains two resolvers (ExampleFileResolver and ExampleStorageClientInformationResolver), see below:

<util:list id="shibboleth.oidc.ClientInformationResolvers"
    value-type="org.geant.idpextension.oidc.metadata.resolver.ClientInformationResolver">
    <ref bean="ExampleFileResolver" />
    <ref bean="ExampleStorageClientInformationResolver" />
</util:list>

ClientInformationResolver Types

Common configuration properties

The following configuration properties are common for all resolvers:

  • failFastInitialization (true/false, defaults to true, since v2.0.0): Whether to fail initialization of the underlying ClientInformationResolverService (and possibly the IdP as a whole) if the initialization of a metadata provider fails. When false, the IdP may start, and will continue to attempt to reload valid metadata if configured to do so, but operations that require valid metadata will fail until it does.

ChainingClientInformationResolver

The ChainingClientInformationResolver combines multiple client information resolvers.

Configuration properties

  • resolvers: The list of client information resolvers to be included in this chain.

Example

An example below defines a ChainingClientInformationResolver, chaining two resolvers called AnotherExampleResolver1 and AnotherExampleResolver2.

<bean id="ExampleChainingResolver"
    class="org.geant.idpextension.oidc.metadata.impl.ChainingClientInformationResolver"
    p:id="ExampleChainResolver1" 
    p:resolvers-ref="ExampleChainedResolvers1"/>

<util:list id="ExampleChainedResolvers1"
    value-type="org.geant.idpextension.oidc.metadata.resolver.ClientInformationResolver">
    <ref bean="AnotherExampleResolver1" />
    <ref bean="AnotherExampleResolver2" />
</util:list>

FilesystemClientInformationResolver

The FilesystemClientInformationResolver loads client information from a JSON file located on the file system of the IdP.

Configuration properties

  • minRefreshDelay (duration): Lower bound on the next file refresh from the time calculated based on the previous attempt. This duration is used for the next attempt if the file was not existing or accessible.

  • maxRefreshDelay (duration): Upper bound on the next file refresh from the time calculated based on the previous attempt.

File structure

At minimum, the following objects must be declared in the JSON file:

  • client_id: The client identifier as string.
  • response_types: The accepted response types for the client as array of strings.
  • scope: The accepted scopes for the client. Space-separated list in one string.
  • redirect_uris: The accepted redirect URIs for the client. An array of strings.

An example of the JSON file with minimal settings:

{
    "scope": "openid info profile email address phone",
    "redirect_uris": ["https://192.168.0.150/static"],
    "client_id": "demo_rp",
    "response_types": ["id_token"]
}

Multiple RPs can also be configured in a single file. They must be included inside a JSON array in the following way:

[
    {
        "scope": "openid info profile email address phone",
        "redirect_uris": ["https://192.168.0.150/static1"],
        "client_id": "demo_rp1",
        "response_types": ["id_token"]
    },
    {
        "scope": "openid info profile email address phone",
        "redirect_uris": ["https://192.168.0.150/static2"],
        "client_id": "demo_rp2",
        "response_types": ["id_token"]
    }
]

Example

An example below defines a FilesystemClientInformationResolver, fetching the client information details from a file called /opt/shibboleth-idp/metadata/oidc-client.json.

<bean id="ExampleFileResolver"
    class="org.geant.idpextension.oidc.metadata.impl.FilesystemClientInformationResolver"
    p:id="ExampleFileResolver1" p:maxRefreshDelay="PT4H" p:minRefreshDelay="PT1H">
    <constructor-arg>
        <bean class="java.io.File" id="ExampleFile">
            <constructor-arg type="String" value="/opt/shibboleth-idp/metadata/oidc-client.json" />
        </bean>
    </constructor-arg>
</bean>

StorageServiceClientInformationResolver

The StorageServiceClientInformationResolver fetches client information from a StorageService configured for the resolver.

Configuration properties

  • storageService: The IdP storage service to be used for fetching the resolvers. The interoperability has been verified with shibboleth.StorageService (in-memory, not persistent) and shibboleth.JPAStorageService (RDBMS).

Example

An example below defines a StorageServiceClientInformationResolver that exploits database-backed storage service (shibboleth.JPAStorageService) for fetching the resolvers.

<bean id="ExampleStorageClientInformationResolver"
    class="org.geant.idpextension.oidc.metadata.impl.StorageServiceClientInformationResolver"
    p:id="ExampleStorageResolver1" p:storageService-ref="shibboleth.JPAStorageService"/>

(Migrated)

Clone this wiki locally