Skip to content

The first beta release

Pre-release
Pre-release
Compare
Choose a tag to compare
@jalauros jalauros released this 13 Nov 08:44
· 308 commits to master since this release
v0.8.0b
7a664cd

Features

Dynamic Registration

Related specification: https://openid.net/specs/openid-connect-registration-1_0.html

  • List of verified & stored claims
    • scope
    • redirect_uris
    • application_type
    • contacts
    • response_types
    • grant_types (implicit, authorization_code, refresh_token)
    • subject_type
    • jwks and jwks_uri
    • token_endpoint_auth_method
    • logo_uri
    • policy_uri
    • tos_uri
    • userinfo_signed_response_alg
    • client_secret generation & storage in plaintext
  • Only “open registration” currently supported (the RPs are not authenticated in any way)
    • Use “shibboleth.UnverifiedRelyingParty" -bean in relying-party.xml

OP Discovery

Related specification: https://openid.net/specs/openid-connect-discovery-1_0.html

Flow flows/oidc/webfinger contains simplified WebFinger implementation that always responds with the requested resource without any kind of verification.

Flow flows/oidc/discovery contains building blocks to dynamically build desired set of the openid-configuration claims. The default configuration uses the contents of a static file.

Token Revocation

New endpoint. See https://tools.ietf.org/html/rfc7009.

Authorization, Token and UserInfo endpoints

Related specification: http://openid.net/specs/openid-connect-core-1_0.html

  • response types supported

    • code
    • id_token
    • token id_token
    • code id_token
    • code token
    • code token id_token

  • subject types supported

    • public
    • pairwise

  • response_modes_supported

    • query
    • fragment
    • form_post

  • grant types supported

    • authorization_code
    • implicit
    • refresh_token

  • claims parameter supported

  • request parameter supported

  • id token encryption alg values supported (*)

    • RSA1_5

  • id_token encryption enc values supported (*)

    • A128CBC-HS256

  • id token signing alg values supported

    • RS256
    • RS384
    • RS512
    • HS256
    • HS384
    • HS512
    • ES256
    • ES384(**)
    • ES512(**)

  • userinfo encryption alg values supported (*)

    • RSA1_5

  • userinfo encryption enc values supported (*)

    • A128CBC-HS256

  • userinfo signing alg values supported

    • RS256
    • RS384
    • RS512
    • HS256
    • HS384
    • HS512
    • ES256
    • ES384(**)
    • ES512(**)

  • request object signing alg values supported

    • none
    • RS256
    • RS384
    • RS512
    • HS256
    • HS384
    • HS512
    • ES256
    • ES384
    • ES512

  • token endpoint auth methods supported

    • client_secret_basic
    • client_secret_post
    • client_secret_jwt
    • private_key_jwt

Known shortcomings:.

  • Not signing id token is not supported (i.e. algorithm NONE).
  • Request object encryption is not supported. Will be added before first production release.
  • Aggregated claims are not supported.
  • Distributed claims are not supported.
  • (*) The list of supported key transport and encryption algorithms is short and will be improved for first production release
  • (**) Not supported by default installation. Beta release has limitation of supporting only one ES family of signing algorithm per security configuration.

Installation

The recommended way to test beta release is to install it on top of existing Shibboleth IdP 3.4+ installation. The installation process is decribed in https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-v0.8.0b-release-from-archive. You may still use the Ansible scripts to deploy a Vagrant VM.

Feedback

We are following shibboleth developers list. Please use that for support requests. When you encounter a bug or have a request for feature you may enter it to GitHub project as an issue.

Assets 4
Loading