Skip to content

The first alpha release

Pre-release
Pre-release
Compare
Choose a tag to compare
@hjmikkon hjmikkon released this 22 Dec 08:59
· 1081 commits to maint-1 since this release

Features

Dynamic Registration

Related specification: https://openid.net/specs/openid-connect-registration-1_0.html

  • List of verified & stored claims
    • scope
    • redirect_uris
    • application_type
    • contacts
    • response_types (id_token)
    • grant_types (implicit)
  • Only “open registration” currently supported (the RPs are not authenticated in any way)
    • Use “shibboleth.UnverifiedRelyingParty" -bean in relying-party.xml

WebFinger

Related specification: https://openid.net/specs/openid-connect-discovery-1_0.html

Flow flows/oidc/webfinger contains simplified WebFinger implementation that always responds with the requested resource without any kind of verification.

Authorize flow

Related specification: http://openid.net/specs/openid-connect-core-1_0.html

  • Supported response type is “id_token”.

  • Features exceeding the minimum behaviour required for conformance. List is not comprehensive.

    • ID Tokens may be signed with any oidc signing algorithm, not just RS256
    • Acr may be requested both as voluntary and essential claim
    • Subject types public and pairwise are both supported
    • Claims parameter is supported
  • Known shortcomings / features not supported. List is not comprehensive.

    • Prompt values ‘consent’ and ‘select_account’ are ignored.
    • If prompt is set to ‘none’, user may still be presented with attribute release consent page
    • Encryption of ID Token is not supported
    • Request object is not supported

Noncomprehensive list of General OIDC extension related features

  • As an addition to conventional shibboleth credentials, JWK based credentials are also supported.
  • Attribute filtering has two extensions:
    • Policy rule oidcext:OIDCScope for requested scope.
    • Matcher oidcext:AttributeInOIDCRequestedClaims for requested claim.
  • Attribute Encoder extensions
    • oidcext:OIDCString
    • oidcext:OIDCScopedString
    • oidcext:OIDCByte
  • Signing configuration extensions supporting RS256, RS384, RS512, ES256, ES384, ES512, HS256, HS384 and HS512 signature algorithms.

Installation

The recommended way to test alpha release is to deploy it using the provided ansible scripts to vagrant. You may edit the script to install it to cloud or install it manually on top of existing shibboleth idp test installation but the support for doing that will be very limited from us. We are interested of hearing on your experiences though if you choose to go that way.

Vagrant deployment is described on https://github.com/CSCfi/shibboleth-idp-oidc-extension

  • Tested with Vagrant versions 1.9.5 & 2.0.1
  • Tested with Ansible version 2.3.0 & 2.4.1 & 2.4.2

Feedback

Feedback is preferred in the form of GitHub issues if applicable.

  • We would like to hear about oidc conformance
    • If the implicit flow is behaving badly we would like to hear about it.
  • We would like to hear about configuring oidc
    • The alpha release already should be very shibboleth like when it comes to configuring it, it should not feel like something glued on top of it. If you find that configuring oidc extension is not what you would expect, we would like to hear about it. The configuration options are described in the wiki https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki
  • Bugs in general
    • We have not intentionally left any bugs for you to find. If you find any, we would like to hear about it.
  • Installation
    • Installation has not been yet on our focus and we understand this alpha release will not reflect final product on that area. It is however interesting to hear if you have a view on how the installation should be done.